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1.1  Introduction 

Cryptography  has  a long  and  fascinating  history.  The  most  complete  non-tec hnical  account 
of  the  subject  is  Kahn's  The  Codebreakers.  This  book  traces  cryptography  from  its  initial 
and  limited  use  by  the  Egyptians  some  4000  years  ago,  to  the  twentieth  century  where  it 
played  a crucial  role  in  the  outcome  of  both  world  wars.  Completed  in  1963,  Kahn’s  book 
covers  those  aspects  of  the  history  which  were  most  significant  (up  to  that  time)  to  the  devel- 
opment of  the  subject.  The  predominant  practitioners  of  the  art  were  those  associated  with 
the  military,  the  diplomatic  service  and  government  in  general.  Cryptography  was  used  as 
a tool  to  protect  national  secrets  and  strategies. 

The  proliferation  of  computers  and  communications  systems  in  the  1960s  brought  with 
it  a demand  from  the  private  sector  for  means  to  protect  information  in  digital  form  and  to 
provide  security  services.  Beginning  with  the  work  of  Feistel  at  IBM  in  the  early  1970s  and 
culminating  in  1977  with  the  adoption  as  a U.S.  Federal  Information  Processing  Standard 
for  encrypting  unclassified  information,  DES,  the  Data  Encryption  Standard,  is  the  most 
well-known  cryptographic  mechanism  in  history.  It  remains  the  standard  means  for  secur- 
ing electronic  commerce  for  many  financial  institutions  around  the  world. 

The  most  striking  development  in  the  history  of  cryptography  came  in  1976  when  Diffie 
and  Heilman  published  New  Directions  in  Cryptography.  This  paper  introduced  the  revolu- 
tionary concept  of  public-key  cryptography  and  also  provided  a new  and  ingenious  method 
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for  key  exchange,  the  security  of  which  is  based  on  the  intractability  of  the  discrete  loga- 
rithm problem.  Although  the  authors  had  no  practical  realization  of  a public -key  encryp- 
tion scheme  at  the  time,  the  idea  was  clear  and  it  generated  extensive  interest  and  activity 
in  the  cryptographic  community.  In  1978  Rivest,  Shamir,  and  Adleman  discovered  the  first 
practical  public-key  encryption  and  signature  scheme,  now  referred  to  as  RSA.  The  RSA 
scheme  is  based  on  another  hard  mathematical  problem,  the  intractability  of  factoring  large 
integers.  This  application  of  a hard  mathematical  problem  to  cryptography  revitalized  ef- 
forts to  find  more  efficient  methods  to  factor.  The  1980s  saw  major  advances  in  this  area 
but  none  which  rendered  the  RSA  system  insecure.  Another  class  of  powerful  and  practical 
public -key  schemes  was  found  by  ElGamal  in  1985.  These  are  also  based  on  the  discrete 
logarithm  problem. 

One  of  the  most  significant  contributions  provided  by  public-key  cryptography  is  the 
digital  signature.  In  1991  the  first  international  standard  for  digital  signatures  (ISO/IEC 
9796)  was  adopted.  It  is  based  on  the  RSA  public-key  scheme.  In  1994  the  U.S.  Govern- 
ment adopted  the  Digital  Signature  Standard,  a mechanism  based  on  the  ElGamal  public- 
key  scheme. 

The  search  for  new  public-key  schemes,  improvements  to  existing  cryptographic  mec- 
hanisms, and  proofs  of  security  continues  at  a rapid  pace.  Various  standards  and  infrastruc- 
tures involving  cryptography  are  being  put  in  place.  Security  products  are  being  developed 
to  address  the  security  needs  of  an  information  intensive  society. 

The  purpose  of  this  book  is  to  give  an  up-to-date  treatise  of  the  principles,  techniques, 
and  algorithms  of  interest  in  cryptographic  practice.  Emphasis  has  been  placed  on  those 
aspects  which  are  most  practical  and  applied.  The  reader  will  be  made  aware  of  the  basic 
issues  and  pointed  to  specific  related  research  in  the  literature  where  more  indepth  discus- 
sions can  be  found.  Due  to  the  volume  of  material  which  is  covered,  most  results  will  be 
stated  without  proofs.  This  also  serves  the  purpose  of  not  obscuring  the  very  applied  nature 
of  the  subject.  This  book  is  intended  for  both  implementers  and  researchers.  It  describes 
algorithms,  systems,  and  their  interactions. 

Chapter  1 is  a tutorial  on  the  many  and  various  aspects  of  cryptography.  It  does  not 
attempt  to  convey  all  of  the  details  and  subtleties  inherent  to  the  subject.  Its  purpose  is  to 
introduce  the  basic  issues  and  principles  and  to  point  the  reader  to  appropriate  chapters  in  the 
book  for  more  comprehensive  treatments.  Specific  techniques  are  avoided  in  this  chapter. 


1.2  Information  security  and  cryptography 

The  concept  of  information  will  be  taken  to  be  an  understood  quantity.  To  introduce  cryp- 
tography, an  understanding  of  issues  related  to  information  security  in  general  is  necessary. 
Information  security  manifests  itself  in  many  ways  according  to  the  situation  and  require- 
ment. Regardless  of  who  is  involved,  to  one  degree  or  another,  all  parties  to  a transaction 
must  have  confidence  that  certain  objectives  associated  with  information  security  have  been 
met.  Some  of  these  objectives  are  listed  in  Table  1.1. 

Over  the  centuries,  an  elaborate  set  of  protocols  and  mechanisms  has  been  created  to 
deal  with  information  security  issues  when  the  information  is  conveyed  by  physical  doc- 
uments. Often  the  objectives  of  information  security  cannot  solely  be  achieved  through 
mathematical  algorithms  and  protocols  alone,  but  require  procedural  techniques  and  abid- 
ance of  laws  to  achieve  the  desired  result.  For  example,  privacy  of  letters  is  provided  by 
sealed  envelopes  delivered  by  an  accepted  mail  service.  The  physical  security  of  the  en- 
velope is,  for  practical  necessity,  limited  and  so  laws  are  enacted  which  make  it  a criminal 
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privacy 

or  confidentiality 

keeping  information  secret  from  all  but  those  who  are  autho- 
rized to  see  it. 

data  integrity 

ensuring  information  has  not  been  altered  by  unauthorized  or 
unknown  means. 

entity  authentication 

corroboration  of  the  identity  of  an  entity  (e.g.,  a person,  a 

or  identification 

computer  terminal,  a credit  card,  etc.). 

message 

corroborating  the  source  of  information;  also  known  as  data 

authentication 

origin  authentication. 

signature 

a means  to  bind  information  to  an  entity. 

authorization 

conveyance,  to  another  entity,  of  official  sanction  to  do  or  be 
something. 

validation 

a means  to  provide  timeliness  of  authorization  to  use  or  ma- 
nipulate information  or  resources. 

access  control 

restricting  access  to  resources  to  privileged  entities. 

certification 

endorsement  of  information  by  a trusted  entity. 

timestamping 

recording  the  time  of  creation  or  existence  of  information. 

witnessing 

verifying  the  creation  or  existence  of  information  by  an  entity 
other  than  the  creator. 

receipt 

acknowledgement  that  information  has  been  received. 

confirmation 

acknowledgement  that  services  have  been  provided. 

ownership 

a means  to  provide  an  entity  with  the  legal  right  to  use  or 
transfer  a resource  to  others. 

anonymity 

concealing  the  identity  of  an  entity  involved  in  some  process. 

non-repudiation 

preventing  the  denial  of  previous  commitments  or  actions. 

revocation 

retraction  of  certification  or  authorization. 

Table  1.1:  Some  information  security  objectives. 


offense  to  open  mail  for  which  one  is  not  authorized.  It  is  sometimes  the  case  that  security 
is  achieved  not  through  the  information  itself  but  through  the  physical  document  recording 
it.  For  example,  paper  currency  requires  special  inks  and  material  to  prevent  counterfeiting. 

Conceptually,  the  way  information  is  recorded  has  not  changed  dramatically  over  time. 
Whereas  information  was  typically  stored  and  transmitted  on  paper,  much  of  it  now  re- 
sides on  magnetic  media  and  is  transmitted  via  telecommunications  systems,  some  wire- 
less. What  has  changed  dramatically  is  the  ability  to  copy  and  alter  information.  One  can 
make  thousands  of  identical  copies  of  a piece  of  information  stored  electronically  and  each 
is  indistinguishable  from  the  original.  With  information  on  paper,  this  is  much  more  diffi- 
cult. What  is  needed  then  for  a society  where  information  is  mostly  stored  and  transmitted 
in  electronic  form  is  a means  to  ensure  information  security  which  is  independent  of  the 
physical  medium  recording  or  conveying  it  and  such  that  the  objectives  of  information  se- 
curity rely  solely  on  digital  information  itself. 

One  of  the  fundamental  tools  used  in  information  security  is  the  signature.  It  is  a build- 
ing block  for  many  other  services  such  as  non-repudiation,  data  origin  authentication,  iden- 
tification, and  witnessing,  to  mention  a few.  Having  learned  the  basics  in  writing,  an  indi- 
vidual is  taught  how  to  produce  a handwritten  signature  for  the  purpose  of  identification. 
At  contract  age  the  signature  evolves  to  take  on  a very  integral  part  of  the  person’s  identity. 
This  signature  is  intended  to  be  unique  to  the  individual  and  serve  as  a means  to  identify, 
authorize,  and  validate.  With  electronic  information  the  concept  of  a signature  needs  to  be 
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redressed;  it  cannot  simply  be  something  unique  to  the  signer  and  independent  of  the  in- 
formation signed.  Electronic  replication  of  it  is  so  simple  that  appending  a signature  to  a 
document  not  signed  by  the  originator  of  the  signature  is  almost  a triviality. 

Analogues  of  the  “paper  protocols”  currently  in  use  are  required.  Hopefully  these  new 
electronic  based  protocols  are  at  least  as  good  as  those  they  replace.  There  is  a unique  op- 
portunity for  society  to  introduce  new  and  more  efficient  ways  of  ensuring  information  se- 
curity. Much  can  be  learned  from  the  evolution  of  the  paper  based  system,  mimicking  those 
aspects  which  have  served  us  well  and  removing  the  inefficiencies. 

Achieving  information  security  in  an  electronic  society  requires  a vast  array  of  techni- 
cal and  legal  skills.  There  is,  however,  no  guarantee  that  all  of  the  information  security  ob- 
jectives deemed  necessary  can  be  adequately  met.  The  technical  means  is  provided  through 
cryptography. 

1 .1  Definition  Cryptography  is  the  study  of  mathematical  techniques  related  to  aspects  of  in- 
formation security  such  as  confidentiality,  data  integrity,  entity  authentication,  and  data  ori- 
gin authentication. 

Cryptography  is  not  the  only  means  of  providing  information  security,  but  rather  one  set  of 
techniques. 

Cryptographic  goals 

Of  all  the  information  security  objectives  listed  in  Table  1.1,  the  following  four  form  a 
framework  upon  which  the  others  will  be  derived:  (1)  privacy  or  confidentiality  (§  1 .5,  § 1 .8); 
(2)  data  integrity  (§1.9);  (3)  authentication  (§1.7);  and  (4)  non-repudiation  (§1.6). 

1 . Confidentiality  is  a service  used  to  keep  the  content  of  information  from  all  but  those 
authorized  to  have  it.  Secrecy  is  a term  synonymous  with  confidentiality  and  privacy. 
There  are  numerous  approaches  to  providing  confidentiality,  ranging  from  physical 
protection  to  mathematical  algorithms  which  render  data  unintelligible. 

2.  Data  integrity  is  a service  which  addresses  the  unauthorized  alteration  of  data.  To 
assure  data  integrity,  one  must  have  the  ability  to  detect  data  manipulation  by  unau- 
thorized parties.  Data  manipulation  includes  such  things  as  insertion,  deletion,  and 
substitution. 

3.  Authentication  is  a service  related  to  identification.  This  function  applies  to  both  enti- 
ties and  information  itself.  Two  parties  entering  into  a communication  should  identify 
each  other.  Information  delivered  over  a channel  should  be  authenticated  as  to  origin, 
date  of  origin,  data  content,  time  sent,  etc.  For  these  reasons  this  aspect  of  cryptog- 
raphy is  usually  subdivided  into  two  major  classes:  entity  authentication  and  data 
origin  authentication.  Data  origin  authentication  implicitly  provides  data  integrity 
(for  if  a message  is  modified,  the  source  has  changed). 

4.  Non-repudiation  is  a service  which  prevents  an  entity  from  denying  previous  commit- 
ments or  actions.  When  disputes  arise  due  to  an  entity  denying  that  certain  actions 
were  taken,  a means  to  resolve  the  situation  is  necessary.  For  example,  one  entity 
may  authorize  the  purchase  of  property  by  another  entity  and  later  deny  such  autho- 
rization was  granted.  A procedure  involving  a trusted  third  party  is  needed  to  resolve 
the  dispute. 

A fundamental  goal  of  cryptography  is  to  adequately  address  these  four  areas  in  both 
theory  and  practice.  Cryptography  is  about  the  prevention  and  detection  of  cheating  and 
other  malicious  activities. 

This  book  describes  a number  of  basic  cryptographic  tools  ( primitives ) used  to  provide 
information  security.  Examples  of  primitives  include  encryption  schemes  (§1.5  and  §1.8), 
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hash  functions  (§  1 .9),  and  digital  signature  schemes  (§1 .6).  Figure  1 . 1 provides  a schematic 
listing  of  the  primitives  considered  and  how  they  relate.  Many  of  these  will  be  briefly  intro- 
duced in  this  chapter,  with  detailed  discussion  left  to  later  chapters.  These  primitives  should 


Figure  1.1:  A taxonomy  of  cryptographic  primitives. 


be  evaluated  with  respect  to  various  criteria  such  as: 

1.  level  of  security.  This  is  usually  difficult  to  quantify.  Often  it  is  given  in  terms  of  the 
number  of  operations  required  (using  the  best  methods  currently  known)  to  defeat  the 
intended  objective.  Typically  the  level  of  security  is  defined  by  an  upper  bound  on 
the  amount  of  work  necessary  to  defeat  the  objective.  This  is  sometimes  called  the 
work  factor  (see  §1.13.4). 

2.  functionality.  Primitives  will  need  to  be  combined  to  meet  various  information  se- 
curity objectives.  Which  primitives  are  most  effective  for  a given  objective  will  be 
determined  by  the  basic  properties  of  the  primitives. 

3.  methods  of  operation.  Primitives,  when  applied  in  various  ways  and  with  various  in- 
puts, will  typically  exhibit  different  characteristics;  thus,  one  primitive  could  provide 
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very  different  functionality  depending  on  its  mode  of  operation  or  usage. 

4.  performance.  This  refers  to  the  efficiency  of  a primitive  in  a particular  mode  of  op- 
eration. (For  example,  an  encryption  algorithm  may  be  rated  by  the  number  of  bits 
per  second  which  it  can  encrypt.) 

5.  ease  of  implementation.  This  refers  to  the  difficulty  of  realizing  the  primitive  in  a 
practical  instantiation.  This  might  include  the  complexity  of  implementing  the  prim- 
itive in  either  a software  or  hardware  environment. 

The  relative  importance  of  various  criteria  is  very  much  dependent  on  the  application 
and  resources  available.  For  example,  in  an  environment  where  computing  power  is  limited 
one  may  have  to  trade  off  a very  high  level  of  security  for  better  performance  of  the  system 
as  a whole. 

Cryptography,  over  the  ages,  has  been  an  art  practised  by  many  who  have  devised  ad 
hoc  techniques  to  meet  some  of  the  information  security  requirements.  The  last  twenty 
years  have  been  a period  of  transition  as  the  discipline  moved  from  an  art  to  a science.  There 
are  now  several  international  scientific  conferences  devoted  exclusively  to  cryptography 
and  also  an  international  scientific  organization,  the  International  Association  for  Crypto- 
logic Research  (IACR),  aimed  at  fostering  research  in  the  area. 

This  book  is  about  cryptography:  the  theory,  the  practice,  and  the  standards. 


1.3  Background  on  functions 

While  this  book  is  not  a treatise  on  abstract  mathematics,  a familiarity  with  basic  mathe- 
matical concepts  will  prove  to  be  useful.  One  concept  which  is  absolutely  fundamental  to 
cryptography  is  that  of  a function  in  the  mathematical  sense.  A function  is  alternately  re- 
ferred to  as  a mapping  or  a transformation. 


1 .3.1  Functions  (1  -1 , one-way,  trapdoor  one-way) 

A set  consists  of  distinct  objects  which  are  called  elements  of  the  set.  For  example,  a set  X 
might  consist  of  the  elements  a,  b,  c,  and  this  is  denoted  X = {a,  b,  c}. 

1 .2  Definition  A function  is  defined  by  two  sets  X and  Y and  a rule  f which  assigns  to  each 
element  in  X precisely  one  element  in  Y . The  set  X is  called  the  domain  of  the  function 
and  Y the  codomain.  If  x is  an  element  of  X (usually  written  x £ X)  the  image  of  x is  the 
element  in  Y which  the  rule  / associates  with  x\  the  image  y of  x is  denoted  by  y = f(x). 
Standard  notation  for  a function  / from  set  X to  set  Y is  / : X — > Y.  If  y £ Y,  then  a 
preimage  of  y is  an  element  x £ X for  which  f(x)  = y.  The  set  of  all  elements  in  Y which 
have  at  least  one  preimage  is  called  the  image  of  /,  denoted  Im(/). 

1.3  Example  (function)  Consider  the  sets  X = {a.b.c}.  Y = {1, 2, 3, 4},  and  the  rule  / 

from  X to  Y defined  as  f(a)  = 2,  f(b)  = 4,  /(c)  = 1.  Figure  1.2  shows  a schematic  of 
the  sets  X,  Y and  the  function  /.  The  preimage  of  the  element  2 is  a.  The  image  of  / is 
{1,2,4}.  □ 

Thinking  of  a function  in  terms  of  the  schematic  (sometimes  called  a functional  dia- 
gram) given  in  Figure  1 .2,  each  element  in  the  domain  X has  precisely  one  arrowed  line 
originating  from  it.  Each  element  in  the  codomain  Y can  have  any  number  of  arrowed  lines 
incident  to  it  (including  zero  lines). 
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Figure  1.2:  A function  f from  a set  X of  three  elements  to  a set  Y of  four  elements. 


Often  only  the  domain  X and  the  rule  / are  given  and  the  codomain  is  assumed  to  be 
the  image  of  /.  This  point  is  illustrated  with  two  examples. 

1.4  Example  (function ) Take  X = {1,2,3, .. . , 10}  and  let /be  the  rule  that  for  each  x E X , 
f(x)  = rx,  where  rx  is  the  remainder  when  x2  is  divided  by  11.  Explicitly  then 

/( 1)  = 1 /( 2)  =4  /( 3)  = 9 /( 4)  =5  /( 5)  = 3 

/( 6)  = 3 /( 7)  =5  /( 8)  = 9 /(9)  =4  /(10)  = 1. 

The  image  of  / is  the  set  Y = {1, 3, 4,  5, 9}.  □ 

1.5  Example  (function)  Take  X = {1,2,3,...  , 1050}  and  let /be  the  rule /(x)  = rx,  where 

rx  is  the  remainder  when  x2  is  divided  by  1050  + 1 for  all  x E X.  Here  it  is  not  feasible 
to  write  down  / explicitly  as  in  Example  1 .4,  but  nonetheless  the  function  is  completely 
specified  by  the  domain  and  the  mathematical  description  of  the  rule  /.  □ 

(i)  1-1  functions 

1.6  Definition  A function  (or  transformation)  is  1 — 1 (one-to-one)  if  each  element  in  the 
codomain  Y is  the  image  of  at  most  one  element  in  the  domain  X. 

1.7  Definition  A function  (or  transformation)  is  onto  if  each  element  in  the  codomain  Y is 
the  image  of  at  least  one  element  in  the  domain.  Equivalently,  a function  / : X — > Y is 
onto  if  Im(/)  = Y . 

1 .8  Definition  If  a function  / : X — :>  Y is  1 1 and  Im(/)  = Y.  then  / is  called  a bijection. 

1 .9  Fact  If  / : X — > Y is  1 1 then  / : X — :>  Im(/)  is  a bijection.  In  particular,  if 

/ : X — ? Y is  1 1,  and  X and  Y are  finite  sets  of  the  same  size,  then  / is  a bijection. 

In  terms  of  the  schematic  representation,  if  / is  a bijection,  then  each  element  in  Y 
has  exactly  one  arrowed  line  incident  with  it.  The  functions  described  in  Examples  1.3  and 
1.4  are  not  bijections.  In  Example  1.3  the  element  3 is  not  the  image  of  any  element  in  the 
domain.  In  Example  1.4  each  element  in  the  codomain  has  two  preimages. 

1.10  Definition  If/  is  a bijection  from  X to  Y then  it  is  a simple  matter  to  define  a bijection  g 
from  Y to  X as  follows:  for  each  y E Y define  g(y)  = x where  x E X and  /(x)  = y.  This 
function  g obtained  from  / is  called  the  inverse  function  of  / and  is  denoted  by  g — f 1 . 
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1.11  Example  ( inverse  function)  Let  X = {a,  b,  c,  d,  e},  and  Y = {1,  2,  3, 4,  5},  and  consider 

the  rule  / given  by  the  arrowed  edges  in  Figure  1.3.  / is  a bijection  and  its  inverse  g is 
formed  simply  by  reversing  the  arrows  on  the  edges.  The  domain  of  g is  Y and  the  codomain 
is  X.  □ 

Note  that  if  / is  a bijection,  then  so  is  /_1.  In  cryptography  bijections  are  used  as 
the  tool  for  encrypting  messages  and  the  inverse  transformations  are  used  to  decrypt.  This 
will  be  made  clearer  in  §1.4  when  some  basic  terminology  is  introduced.  Notice  that  if  the 
transformations  were  not  bijections  then  it  would  not  be  possible  to  always  decrypt  to  a 
unique  message. 

(ii)  One-way  functions 

There  are  certain  types  of  functions  which  play  significant  roles  in  cryptography.  At  the 
expense  of  rigor,  an  intuitive  definition  of  a one-way  function  is  given. 

1.12  Definition  A function  / from  a set  X to  a set  Y is  called  a one-way  function  if  f(x)  is 
“easy”  to  compute  for  all  x E X but  for  “essentially  all”  elements  y G Im(/)  it  is  “com- 
putationally infeasible”  to  find  any  x (E  X such  that  f(x)  = y. 

1.13  Note  (clarification  of  terms  in  Definition  1.12) 

(i)  A rigorous  definition  of  the  terms  “easy”  and  “computationally  infeasible”  is  neces- 
sary but  would  detract  from  the  simple  idea  that  is  being  conveyed.  For  the  purpose 
of  this  chapter,  the  intuitive  meaning  will  suffice. 

(ii)  The  phrase  “for  essentially  all  elements  in  Y”  refers  to  the  fact  that  there  are  a few 
values  y £ Y for  which  it  is  easy  to  find  an  x £ X such  that  y = f(x).  For  example, 
one  may  compute  y = f(x)  for  a small  number  of  x values  and  then  for  these,  the 
inverse  is  known  by  table  look-up.  An  alternate  way  to  describe  this  property  of  a 
one-way  function  is  the  following:  for  a random  y G Im(/)  it  is  computationally 
infeasible  to  find  any  x £ X such  that  f(x)  = y. 

The  concept  of  a one-way  function  is  illustrated  through  the  following  examples. 

1.14  Example  (one-way  function)  Take  X = {1,  2,  3, ...  , 16}  and  define  f(x ) = rx  for  all 
x £ X where  rx  is  the  remainder  when  3T  is  divided  by  17.  Explicitly, 


X 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

/0) 

IT 

9 

10 

13 

5 

15 

11 

16 

14 

8 

7 

4 

12 

2 

6 

1 

Given  a number  between  1 and  16,  it  is  relatively  easy  to  find  the  image  of  it  under  /.  How- 
ever, given  a number  such  as  7,  without  having  the  table  in  front  of  you,  it  is  harder  to  find 
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x given  that  f(x)  = 7.  Of  course,  if  the  number  you  are  given  is  3 then  it  is  clear  that  x = 1 
is  what  you  need;  but  for  most  of  the  elements  in  the  codomain  it  is  not  that  easy.  □ 

One  must  keep  in  mind  that  this  is  an  example  which  uses  very  small  numbers;  the 
important  point  here  is  that  there  is  a difference  in  the  amount  of  work  to  compute  fix) 
and  the  amount  of  work  to  find  x given  fix).  Even  for  very  large  numbers,  fix)  can  be 
computed  efficiently  using  the  repeated  square-and-multiply  algorithm  (Algorithm  2.143), 
whereas  the  process  of  finding  x from  fix)  is  much  harder. 

1.15  Example  (one-way  function)  A prime  number  is  a positive  integer  greater  than  1 whose 

only  positive  integer  divisors  are  1 and  itself.  Select  primes  p = 48611,  q = 53993,  form 
n = pq  = 2624653723,  and  let  X = {1,  2,3,...  , n — 1}.  Define  a function  / on  X 
by  f(x)  = rx  for  each  x G X,  where  rx  is  the  remainder  when  x3  is  divided  by  n.  For 
instance,  /(2489991)  = 1981394214  since  24899913  = 5881949859  • n + 1981394214. 
Computing  /(x)  is  a relatively  simple  thing  to  do,  but  to  reverse  the  procedure  is  much  more 
difficult;  that  is,  given  a remainder  to  find  the  value  x which  was  originally  cubed  (raised 
to  the  third  power).  This  procedure  is  referred  to  as  the  computation  of  a modular  cube  root 
with  modulus  n.  If  the  factors  of  a are  unknown  and  large,  this  is  a difficult  problem;  how- 
ever, if  the  factors  p and  q of  n are  known  then  there  is  an  efficient  algorithm  for  computing 
modular  cube  roots.  (See  §8.2.2(i)  for  details.)  □ 

Example  1.15  leads  one  to  consider  another  type  of  function  which  will  prove  to  be 
fundamental  in  later  developments. 

(iii)  Trapdoor  one-way  functions 

1.16  Definition  A trapdoor  one-way  function  is  a one-way  function  /:  X — > Y with  the 
additional  property  that  given  some  extra  information  (called  the  trapdoor  information)  it 
becomes  feasible  to  find  for  any  given  y € Im (/),  an  x £ X such  that  /(x)  = y. 

Example  1.15  illustrates  the  concept  of  a trapdoor  one-way  function.  With  the  addi- 
tional information  of  the  factors  of  n = 2624653723  (namely,  p = 48611  and  q — 53993, 
each  of  which  is  five  decimal  digits  long)  it  becomes  much  easier  to  invert  the  function. 
The  factors  of  2624653723  are  large  enough  that  finding  them  by  hand  computation  would 
be  difficult.  Of  course,  any  reasonable  computer  program  could  find  the  factors  relatively 
quickly.  If,  on  the  other  hand,  one  selects  p and  q to  be  very  large  distinct  prime  numbers 
(each  having  about  100  decimal  digits)  then,  by  today’s  standards,  it  is  a difficult  problem, 
even  with  the  most  powerful  computers,  to  deduce  p and  q simply  from  n.  This  is  the  well- 
known  integer  factorization  problem  (see  §3.2)  and  a source  of  many  trapdoor  one-way 
functions. 

It  remains  to  be  rigorously  established  whether  there  actually  are  any  (true)  one-way 
functions.  That  is  to  say,  no  one  has  yet  definitively  proved  the  existence  of  such  func- 
tions under  reasonable  (and  rigorous)  definitions  of  “easy”  and  “computationally  infeasi- 
ble”. Since  the  existence  of  one-way  functions  is  still  unknown,  the  existence  of  trapdoor 
one-way  functions  is  also  unknown.  However,  there  are  a number  of  good  candidates  for 
one-way  and  trapdoor  one-way  functions.  Many  of  these  are  discussed  in  this  book,  with 
emphasis  given  to  those  which  are  practical. 

One-way  and  trapdoor  one-way  functions  are  the  basis  for  public-key  cryptography 
(discussed  in  § 1 .8).  The  importance  of  these  concepts  will  become  clearer  when  their  appli- 
cation to  cryptographic  techniques  is  considered.  It  will  be  worthwhile  to  keep  the  abstract 
concepts  of  this  section  in  mind  as  concrete  methods  are  presented. 
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1.3.2  Permutations 

Permutations  are  functions  which  are  often  used  in  various  cryptographic  constructs. 


1.17  Definition  Let  S be  a finite  set  of  elements.  A permutation  p on  S is  a bijection  (Defini- 
tion 1.8  ) from  S to  itself  (i.e.,  p:  S — > S). 


1.18  Example  (permutation)  Lets  = {1,2, 3, 4, 5}.  A permutation  p : S — > S is  defined  as 
follows: 


P(  1)  = 3,  P( 2)  = 5,  p( 3)  = 4,  p( 4)  = 2,  p( 5)  = 1. 


A permutation  can  be  described  in  various  ways.  It  can  be  displayed  as  above  or  as  an  array: 


/ 1 2 3 4 5 \ 

\ 3 5 4 2 1 J ’ 


(1.1) 


where  the  top  row  in  the  array  is  the  domain  and  the  bottom  row  is  the  image  under  the 
mapping  p.  Of  course,  other  representations  are  possible.  □ 


Since  permutations  are  bijections,  they  have  inverses.  If  a permutation  is  written  as  an 
array  (see  1 . 1 ),  its  inverse  is  easily  found  by  interchanging  the  rows  in  the  array  and  reorder- 
ing the  elements  in  the  new  top  row  if  desired  (the  bottom  row  would  have  to  be  reordered 

correspondingly).  The  inverse  of  p in  Example  1.18  is  p 1 = 


( 1 2 3 4 5 \ 
^54132/' 


1.19  Example  (permutation)  Let  X be  the  set  of  integers  {0, 1,  2, .. . , pq  — 1 } where  p and  q 
are  distinct  large  primes  (for  example,  p and  q are  each  about  100  decimal  digits  long),  and 
suppose  that  neither p—  1 nor  q—  1 is  divisible  by  3.  Then  the  function p(x)  = rx,  where  r„ 
is  the  remainder  when  x3  is  divided  by  pq,  can  be  shown  to  be  a permutation.  Determining 
the  inverse  permutation  is  computationally  infeasible  by  today’s  standards  unless  p and  q 
are  known  (cf.  Example  1.15).  □ 


1.3.3  Involutions 

Another  type  of  function  which  will  be  referred  to  in  §1.5.3  is  an  involution.  Involutions 
have  the  property  that  they  are  their  own  inverses. 

1 .20  Definition  Let  S be  a finite  set  and  let  / be  a bijection  from  S to  S (i.e.,  / : S — > S). 
The  function  / is  called  an  involution  if  / = /_1.  An  equivalent  way  of  stating  this  is 
/(/(x))  = x for  all  x G S. 

1.21  Example  (involution)  Figure  1.4  is  an  example  of  an  involution.  In  the  diagram  of  an 

involution,  note  that  if  j is  the  image  of  i then  i is  the  image  of  j.  □ 
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Figure  1.4:  An  involution  on  a set  S of  5 elements. 


1.4  Basic  terminology  and  concepts 

The  scientific  study  of  any  discipline  must  be  built  upon  rigorous  definitions  arising  from 
fundamental  concepts.  What  follows  is  a list  of  terms  and  basic  concepts  used  throughout 
this  book.  Where  appropriate,  rigor  has  been  sacrificed  (here  in  Chapter  1)  for  the  sake  of 
clarity. 

Encryption  domains  and  codomains 

• A denotes  a finite  set  called  the  alphabet  of  definition.  For  example,  A = {0, 1},  the 
binary  alphabet,  is  a frequently  used  alphabet  of  definition.  Note  that  any  alphabet 
can  be  encoded  in  terms  of  the  binary  alphabet.  For  example,  since  there  are  32  binary 
strings  of  length  five,  each  letter  of  the  English  alphabet  can  be  assigned  a unique 
binary  suing  of  length  five. 

• M denotes  a set  called  the  message  space.  A4  consists  of  sUings  of  symbols  from 
an  alphabet  of  definition.  An  element  of  A4  is  called  a plaintext  message  or  simply 
a plaintext.  For  example,  A4  may  consist  of  binary  sUings,  English  text,  computer 
code,  etc. 

• C denotes  a set  called  the  ciphertext  space.  C consists  of  sUings  of  symbols  from  an 
alphabet  of  definition,  which  may  differ  from  the  alphabet  of  definition  for  A4.  An 
element  of  C is  called  a ciphertext. 

Encryption  and  decryption  transformations 

• 1C  denotes  a set  called  the  key  space.  An  element  of  1C  is  called  a key. 

• Each  element  e € 1C  uniquely  determines  a bijection  from  M.  to  C,  denoted  by  E, . 
Ee  is  called  an  encryption  function  or  an  encryption  transformation.  Note  that  Ee 
must  be  a bijection  if  the  process  is  to  be  reversed  and  a unique  plaintext  message 
recovered  for  each  distinct  ciphertext.1 

• For  each  d G 1C,  Dd  denotes  a bijection  from  C to  Ad  (i.e.,  Dd  : C — > Ad).  Dd  is 
called  a decryption  function  or  decryption  transformation. 

• The  process  of  applying  the  transformation  Ee  to  a message  m e Mis  usually  re- 
ferred to  as  encrypting  m or  the  encryption  of  m. 

• The  process  of  applying  the  transformation  Dd  to  a ciphertext  c is  usually  referred  to 
as  decrypting  c or  the  decryption  of  c. 

1More  generality  is  obtained  if  Ee  is  simply  defined  as  a 1 — 1 transformation  from  AA  to  C.  That  is  to  say. 
Ee  is  a bijection  from  ,VI  to  Im (Ee)  where  Im (Ee)  is  a subset  of  C. 
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• An  encryption  scheme  consists  of  a set  {Ee  : e E 1C]  of  encryption  transformations 
and  a corresponding  set  {Dd : d E 1C}  of  decryption  transformations  with  the  prop- 
erty that  for  each  e £ K,  there  is  a unique  key  d E K,  such  that  Dd  = Ec  that  is, 
Dd(Ee(m))  = m for  all  m E Ad.  An  encryption  scheme  is  sometimes  referred  to 
as  a cipher. 

• The  keys  e and  d in  the  preceding  definition  are  referred  to  as  a key  pair  and  some- 
times denoted  by  (e,  d).  Note  that  e and  d could  be  the  same. 

• To  construct  an  encryption  scheme  requires  one  to  select  a message  space  Ad,  a ci- 
phertext space  C,  a key  space  1C,  a set  of  encryption  transformations  {E,  : e e /C}, 
and  a corresponding  set  of  decryption  transformations  {Dd : d E 1C}. 

Achieving  confidentiality 

An  encryption  scheme  may  be  used  as  follows  for  the  purpose  of  achieving  confidentiality. 
Two  parties  Alice  and  Bob  first  secretly  choose  or  secretly  exchange  a key  pair  (e,  d).  At  a 
subsequent  point  in  time,  if  Alice  wishes  to  send  a message  m E Ad  to  Bob,  she  computes 
c = Ee{m)  and  transmits  this  to  Bob.  Upon  receiving  c.  Bob  computes  Dd(c)  = m and 
hence  recovers  the  original  message  to. 

The  question  arises  as  to  why  keys  are  necessary.  (Why  not  just  choose  one  encryption 
function  and  its  corresponding  decryption  function?)  Having  transformations  which  are 
very  similar  but  characterized  by  keys  means  that  if  some  particular  encryption/decryption 
transformation  is  revealed  then  one  does  not  have  to  redesign  the  entire  scheme  but  simply 
change  the  key.  It  is  sound  cryptographic  practice  to  change  the  key  (encryption/decryption 
transformation)  frequently.  As  a physical  analogue,  consider  an  ordinary  resettable  combi- 
nation lock.  The  structure  of  the  lock  is  available  to  anyone  who  wishes  to  purchase  one  but 
the  combination  is  chosen  and  set  by  the  owner.  If  the  owner  suspects  that  the  combination 
has  been  revealed  he  can  easily  reset  it  without  replacing  the  physical  mechanism. 

1.22  Example  (encryption  scheme)  Let  Ad  = {toj, m2, TO3}  and  C = {01,02,03}.  There 
are  precisely  3!  = 6 bijections  from  Ad  to  C.  The  key  space  K,  = {1,  2,  3, 4,  5,  6}  has 
six  elements  in  it,  each  specifying  one  of  the  transformations.  Figure  1.5  illustrates  the  six 
encryption  functions  which  are  denoted  by  E,  . 1 < i < 6.  Alice  and  Bob  agree  on  a trans- 
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m3 
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mi  0 — 
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►O  c2 
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Figure  1.5:  Schematic  of  a simple  encryption  scheme. 


formation,  say  Ei.  To  encrypt  the  message  mi,  Alice  computes  Ei(mi)  = 03  and  sends 
03  to  Bob.  Bob  decrypts  03  by  reversing  the  arrows  on  the  diagram  for  E\  and  observing 
that  03  points  to  mi. 
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When  A"!  is  a small  set,  the  functional  diagram  is  a simple  visual  means  to  describe  the 
mapping.  In  cryptography,  the  set  Ai  is  typically  of  astronomical  proportions  and,  as  such, 
the  visual  description  is  infeasible.  What  is  required,  in  these  cases,  is  some  other  simple 
means  to  describe  the  encryption  and  decryption  transformations,  such  as  mathematical  al- 
gorithms. □ 

Figure  1 .6  provides  a simple  model  of  a two-party  communication  using  encryption. 


Alice  Bob 


Figure  1.6:  Schematic  of  a two-party  communication  using  encryption. 


Communication  participants 

Referring  to  Figure  1.6,  the  following  terminology  is  defined. 

• An  entity  or  party  is  someone  or  something  which  sends,  receives,  or  manipulates 
information.  Alice  and  Bob  are  entities  in  Example  1 .22.  An  entity  may  be  a person, 
a computer  terminal,  etc. 

• A sender  is  an  entity  in  a two-party  communication  which  is  the  legitimate  transmitter 
of  information.  In  Figure  1.6,  the  sender  is  Alice. 

• A receiver  is  an  entity  in  a two-party  communication  which  is  the  intended  recipient 
of  information.  In  Figure  1 .6,  the  receiver  is  Bob. 

• An  adversary  is  an  entity  in  a two-party  communication  which  is  neither  the  sender 
nor  receiver,  and  which  tries  to  defeat  the  information  security  service  being  provided 
between  the  sender  and  receiver.  Various  other  names  are  synonymous  with  adver- 
sary such  as  enemy,  attacker,  opponent,  tapper,  eavesdropper,  intruder,  and  interloper. 
An  adversary  will  often  attempt  to  play  the  role  of  either  the  legitimate  sender  or  the 
legitimate  receiver. 

Channels 

• A channel  is  a means  of  conveying  information  from  one  entity  to  another. 

• A physically  secure  channel  or  secure  channel  is  one  which  is  not  physically  acces- 
sible to  the  adversary. 

• An  unsecured  channel  is  one  from  which  parties  other  than  those  for  which  the  in- 
formation is  intended  can  reorder,  delete,  insert,  or  read. 

• A secured  channel  is  one  from  which  an  adversary  does  not  have  the  ability  to  reorder, 
delete,  insert,  or  read. 
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One  should  note  the  subtle  difference  between  a physically  secure  channel  and  a se- 
cured channel  - a secured  channel  may  be  secured  by  physical  or  cryptographic  techniques, 
the  latter  being  the  topic  of  this  book.  Certain  channels  are  assumed  to  be  physically  secure. 
These  include  trusted  couriers,  personal  contact  between  communicating  parties,  and  a ded- 
icated communication  link,  to  name  a few. 

Security 

A fundamental  premise  in  cryptography  is  that  the  sets  A4,  C,  K,  {Ee : e e 1C},  {Dd : d € 
1C}  are  public  knowledge.  When  two  parties  wish  to  communicate  securely  using  an  en- 
cryption scheme,  the  only  thing  that  they  keep  secret  is  the  particular  key  pair  (e,  d)  which 
they  are  using,  and  which  they  must  select.  One  can  gain  additional  security  by  keeping  the 
class  of  encryption  and  decryption  transformations  secret  but  one  should  not  base  the  secu- 
rity of  the  entire  scheme  on  this  approach.  History  has  shown  that  maintaining  the  secrecy 
of  the  transformations  is  very  difficult  indeed. 

1.23  Definition  An  encryption  scheme  is  said  to  be  breakable  if  a third  party,  without  prior 
knowledge  of  the  key  pair  (e,  d),  can  systematically  recover  plaintext  from  corresponding 
ciphertext  within  some  appropriate  time  frame. 

An  appropriate  time  frame  will  be  a function  of  the  useful  lifespan  of  the  data  being 
protected.  For  example,  an  instruction  to  buy  a certain  stock  may  only  need  to  be  kept  secret 
for  a few  minutes  whereas  state  secrets  may  need  to  remain  confidential  indefinitely. 

An  encryption  scheme  can  be  broken  by  trying  all  possible  keys  to  see  which  one  the 
communicating  parties  are  using  (assuming  that  the  class  of  encryption  functions  is  public 
knowledge).  This  is  called  an  exhaustive  search  of  the  key  space.  It  follows  then  that  the 
number  of  keys  (i.e.,  the  size  of  the  key  space)  should  be  large  enough  to  make  this  approach 
computationally  infeasible.  It  is  the  objective  of  a designer  of  an  encryption  scheme  that  this 
be  the  best  approach  to  break  the  system. 

Frequently  cited  in  the  literature  are  Kerckhoffs  ’ desiderata,  a set  of  requirements  for 
cipher  systems.  They  are  given  here  essentially  as  Kerckhoffs  originally  stated  them: 

1 . the  system  should  be,  if  not  theoretically  unbreakable,  unbreakable  in  practice; 

2.  compromise  of  the  system  details  should  not  inconvenience  the  correspondents; 

3.  the  key  should  be  rememberable  without  notes  and  easily  changed; 

4.  the  cryptogram  should  be  transmissible  by  telegraph; 

5.  the  encryption  apparatus  should  be  portable  and  operable  by  a single  person;  and 

6.  the  system  should  be  easy,  requiring  neither  the  knowledge  of  a long  list  of  rules  nor 
mental  strain. 

This  list  of  requirements  was  articulated  in  1883  and,  for  the  most  part,  remains  useful  today. 
Point  2 allows  that  the  class  of  encryption  transformations  being  used  be  publicly  known 
and  that  the  security  of  the  system  should  reside  only  in  the  key  chosen. 

Information  security  in  general 

So  far  the  terminology  has  been  restricted  to  encryption  and  decryption  with  the  goal  of  pri- 
vacy in  mind.  Information  security  is  much  broader,  encompassing  such  things  as  authen- 
tication and  data  integrity.  A few  more  general  definitions,  pertinent  to  discussions  later  in 
the  book,  are  given  next. 

• An  information  security  service  is  a method  to  provide  some  specific  aspect  of  secu- 
rity. For  example,  integrity  of  transmitted  data  is  a security  objective,  and  a method 
to  ensure  this  aspect  is  an  information  security  service. 
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• Breaking  an  information  security  service  (which  often  involves  more  than  simply  en- 
cryption) implies  defeating  the  objective  of  the  intended  service. 

• A passive  adversary  is  an  adversary  who  is  capable  only  of  reading  information  from 
an  unsecured  channel. 

• An  active  adversary  is  an  adversary  who  may  also  transmit,  alter,  or  delete  informa- 
tion on  an  unsecured  channel. 

Cryptology 

• Cryptanalysis  is  the  study  of  mathematical  techniques  for  attempting  to  defeat  cryp- 
tographic techniques,  and,  more  generally,  information  security  services. 

• A cryptanalyst  is  someone  who  engages  in  cryptanalysis. 

• Cryptology  is  the  study  of  cryptography  (Definition  1.1)  and  cryptanalysis. 

• A cryptosystem  is  a general  term  referring  to  a set  of  cryptographic  primitives  used 
to  provide  information  security  services.  Most  often  the  term  is  used  in  conjunction 
with  primitives  providing  confidentiality,  i.e.,  encryption. 

Cryptographic  techniques  are  typically  divided  into  two  generic  types:  symmetric-key 
and  public-key.  Encryption  methods  of  these  types  will  be  discussed  separately  in  §1.5  and 
§1.8.  Other  definitions  and  terminology  will  be  introduced  as  required. 


1.5  Symmetric-key  encryption 

§1.5  considers  symmetric-key  encryption.  Public-key  encryption  is  the  topic  of  §1.8. 


1.5.1  Overview  of  block  ciphers  and  stream  ciphers 

1.24  Definition  Consider  an  encryption  scheme  consisting  of  the  sets  of  encryption  and  de- 
cryption transformations  {Ee : e G 1C}  and  {!),/ : d G 1C},  respectively,  where  K,  is  the  key 
space.  The  encryption  scheme  is  said  to  be  symmetric-key  if  for  each  associated  encryp- 
tion/decryption key  pair  (e,  d),  it  is  computationally  “easy”  to  determine  d knowing  only  e, 
and  to  determine  e from  d. 

Since  e = d in  most  practical  symmetric-key  encryption  schemes,  the  term  symmetric- 
key  becomes  appropriate.  Other  terms  used  in  the  literature  are  single-key,  one-key, private- 
key,2  and  conventional  encryption.  Example  1.25  illustrates  the  idea  of  symmetric-key  en- 
cryption. 

1 .25  Example  ( symmetric-key  encryption)  Let  A — {A,  B,  C, . . . , X,  Y,  Z}  be  the  English 
alphabet.  Let  A4  and  C be  the  set  of  all  strings  of  length  five  over  A.  The  key  e is  chosen 
to  be  a permutation  on  A.  To  encrypt,  an  English  message  is  broken  up  into  groups  each 
having  five  letters  (with  appropriate  padding  if  the  length  of  the  message  is  not  a multiple 
of  five)  and  a permutation  e is  applied  to  each  letter  one  at  a time.  To  decrypt,  the  inverse 
permutation  d = e 1 is  applied  to  each  letter  of  the  ciphertext.  For  instance,  suppose  that 
the  key  e is  chosen  to  be  the  permutation  which  maps  each  letter  to  the  one  which  is  three 
positions  to  its  right,  as  shown  below 

/ABCDEFGHI  J KLMNOPQRS  TUVWXYZ) 
e_\vDEFGHI  J KLMNOPQRSTUVWXYZABcj 

2Private  key  is  a term  also  used  in  quite  a different  context  (see  §1.8).  The  term  will  be  reserved  for  the  latter 
usage  in  this  book. 
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A message 

m = THISC  IPHER  ISCER  TAINL  YNOTS  ECURE 

is  encrypted  to 

c = Ee  (to)  = WKLVF  LSKHU  LVFHU  WDLQO  BQRWV  HFXUH.  □ 

A two-party  communication  using  symmetric-key  encryption  can  be  described  by  the 
block  diagram  of  Figure  1 .7,  which  is  Figure  1 .6  with  the  addition  of  the  secure  (both  con- 


Alice  Bob 


Figure  1.7:  Two-party  communication  using  encryption,  with  a secure  channel  for  key  exchange. 
The  decryption  key  d can  be  efficiently  computed  from  the  encryption  key  e. 


fidential  and  authentic)  channel.  One  of  the  major  issues  with  symmetric-key  systems  is  to 
find  an  efficient  method  to  agree  upon  and  exchange  keys  securely.  This  problem  is  referred 
to  as  the  key  distribution  problem  (see  Chapters  12  and  13). 

It  is  assumed  that  all  parties  know  the  set  of  encryption/decryption  transformations  (i.e., 
they  all  know  the  encryption  scheme).  As  has  been  emphasized  several  times  the  only  infor- 
mation which  should  be  required  to  be  kept  secret  is  the  key  d.  However,  in  symmetric-key 
encryption,  this  means  that  the  key  e must  also  be  kept  secret,  as  d can  be  deduced  from 
e.  In  Figure  1.7  the  encryption  key  e is  transported  from  one  entity  to  the  other  with  the 
understanding  that  both  can  construct  the  decryption  key  d. 

There  are  two  classes  of  symmetric-key  encryption  schemes  which  are  commonly  dis- 
tinguished: block  ciphers  and  stream  ciphers. 

1.26  Definition  A block  cipher  is  an  encryption  scheme  which  breaks  up  the  plaintext  mes- 
sages to  be  transmitted  into  strings  (called  blocks)  of  a fixed  length  t,  over  an  alphabet  A. 
and  encrypts  one  block  at  a time. 

Most  well-known  symmetric-key  encryption  techniques  are  block  ciphers.  A number 
of  examples  of  these  are  given  in  Chapter  7.  Two  important  classes  of  block  ciphers  are 
substitution  ciphers  and  transposition  ciphers  (§1.5.2).  Product  ciphers  (§1.5.3)  combine 
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these.  Stream  ciphers  are  considered  in  §1.5.4,  while  comments  on  the  key  space  follow  in 
§1.5.5. 


1.5.2  Substitution  ciphers  and  transposition  ciphers 

Substitution  ciphers  are  block  ciphers  which  replace  symbols  (or  groups  of  symbols)  by 
other  symbols  or  groups  of  symbols. 

Simple  substitution  ciphers 

1 .27  Definition  Let  A be  an  alphabet  of  q symbols  and  A4  be  the  set  of  all  strings  of  length 
t over  A.  Let  K,  be  the  set  of  all  permutations  on  the  set  A.  Define  for  each  e e Kan 
encryption  transformation  Ee  as: 

Ee(m)  = (e(mi)e(m2)  ■ • ■ e(mt ))  = (cic2  ■ • • ct)  = c, 

where  m = (mira2  • • ■ m*)  £ A4.  In  other  words,  for  each  symbol  in  a t -tuple,  replace 
(substitute)  it  by  another  symbol  from  A according  to  some  fixed  permutation  e.  To  decrypt 
c = (cic2  • • • ct)  compute  the  inverse  permutation  d — e 1 and 

Dd(c)  = (d(ci)d(c2)  ■ • ■ d(ct))  = (mim2  • • • mt)  = m. 

Ee  is  called  a simple  substitution  cipher  or  a mono-alphabetic  substitution  cipher. 

The  number  of  distinct  substitution  ciphers  is  q\  and  is  independent  of  the  block  size  in 
the  cipher.  Example  1 .25  is  an  example  of  a simple  substitution  cipher  of  block  length  five. 

Simple  substitution  ciphers  over  small  block  sizes  provide  inadequate  security  even 
when  the  key  space  is  extremely  large.  If  the  alphabet  is  the  English  alphabet  as  in  Exam- 
ple 1.25,  then  the  size  of  the  key  space  is  26!  « 4 x 1026,  yet  the  key  being  used  can  be 
determined  quite  easily  by  examining  a modest  amount  of  ciphertext.  This  follows  from  the 
simple  observation  that  the  distribution  of  letter  frequencies  is  preserved  in  the  ciphertext. 
For  example,  the  letter  E occurs  more  frequently  than  the  other  letters  in  ordinary  English 
text.  Hence  the  letter  occurring  most  frequently  in  a sequence  of  ciphertext  blocks  is  most 
likely  to  correspond  to  the  letter  E in  the  plaintext.  By  observing  a modest  quantity  of  ci- 
phertext blocks,  a cryptanalyst  can  determine  the  key. 

Homophonic  substitution  ciphers 

1.28  Definition  To  each  symbol  a £ A,  associate  a set  H(a. ) of  strings  of  t symbols,  with 
the  restriction  that  the  sets  H(a),  a £ A,  be  pairwise  disjoint.  A homophonic  substitution 
cipher  replaces  each  symbol  a in  a plaintext  message  block  with  a randomly  chosen  string 
from  H(a).  To  decrypt  a string  c of  t symbols,  one  must  determine  ail  a £ A such  that 
c £ H (u) . The  key  for  the  cipher  consists  of  the  sets  H (a). 

1 .29  Example  ( homophonic  substitution  cipher)  Consider  A = {a,  6},  H (a)  = {00, 10},  and 
H(b)  = {01, 11}.  The  plaintext  message  block  ab  encrypts  to  one  of  the  following:  0001, 
0011,  1001,  1011.  Observe  that  the  codomain  of  the  encryption  function  (for  messages  of 
length  two)  consists  of  the  following  pairwise  disjoint  sets  of  four-element  bitstrings: 

{0000,0010,1000, 1010} 

{0001,0011,1001,1011} 

{0100,0110,1100,1110} 

{0101,0111, 1101, 1111} 

Any  4-bitstring  uniquely  identifies  a codomain  element,  and  hence  a plaintext  message.  □ 
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Often  the  symbols  do  not  occur  with  equal  frequency  in  plaintext  messages.  With  a 
simple  substitution  cipher  this  non-uniform  frequency  property  is  reflected  in  the  ciphertext 
as  illustrated  in  Example  1 .25.  A homophonic  cipher  can  be  used  to  make  the  frequency  of 
occurrence  of  ciphertext  symbols  more  uniform,  at  the  expense  of  data  expansion.  Decryp- 
tion is  not  as  easily  performed  as  it  is  for  simple  substitution  ciphers. 

Polyalphabetic  substitution  ciphers 

1 .30  Definition  A polyalphabetic  substitution  cipher  is  a block  cipher  with  block  length  t over 
an  alphabet  A having  the  following  properties: 

(i)  the  key  space  K.  consists  of  all  ordered  sets  of  t permutations  (pi  ,p->.  • • • ,Pt),  where 
each  permutation  p,:  is  defined  on  the  set  A\ 

(ii)  encryption  of  the  message  m = i in?  ■ ■ ■ mt)  under  the  key  e = (pi,p2,  ■ ■ ■ ,Pt) 
is  given  by  Ee(m)  = {pi{mi)p2(m2)  ■ ■ ■ pt{mt))\  and 

(iii)  the  decryption  key  associated  with  e = (pi , p2 , . . . , pt ) is  d = (p-f  1,pi21, . . . , p^ 1 ) . 

1.31  Example  (Vigenere  cipher)  Let  A = {A,  B,C, ...  , X,  Y,  Z}  and  f = 3.  Choose  e = 
(pi  j Pii  P3),  where  pi  maps  each  letter  to  the  letter  three  positions  to  its  right  in  the  alphabet, 
P2  to  the  one  seven  positions  to  its  right,  and  p3  ten  positions  to  its  right.  If 

m = THI  SCI  PHE  RIS  CER  TAI  NLY  NOT  SEC  URE 

then 

c = Ee(m)  = WOS  VJS  SOO  UPC  FLB  WHS  QSI  QVD  VLM  XYO.  □ 

Polyalphabetic  ciphers  have  the  advantage  over  simple  substitution  ciphers  that  symbol 
frequencies  are  not  preserved.  In  the  example  above,  the  letter  E is  encrypted  to  both  O and 
L.  However,  polyalphabetic  ciphers  are  not  significantly  more  difficult  to  cryptanalyze,  the 
approach  being  similar  to  the  simple  substitution  cipher.  In  fact,  once  the  block  length  t is 
determined,  the  ciphertext  letters  can  be  divided  into  t groups  (where  group  i,  1 < i < t, 
consists  of  those  ciphertext  letters  derived  using  permutation  _p,J,  and  a frequency  analysis 
can  be  done  on  each  group. 

Transposition  ciphers 

Another  class  of  symmetric-key  ciphers  is  the  simple  transposition  cipher,  which  simply 
permutes  the  symbols  in  a block. 

1.32  Definition  Consider  a symmetric-key  block  encryption  scheme  with  block  length  t.  Let/C 
be  the  set  of  all  permutations  on  the  set  {1,  2, . . . , t,}.  For  each  c G K,  define  the  encryption 
function 

Ee(m)  = (me(i)TOe( 2)  • • • me(()) 

where  m = (mim,2  ■ ■ ■ mt ) G A4,  the  message  space.  The  set  of  all  such  transformations 
is  called  a simple  transposition  cipher.  The  decryption  key  corresponding  to  e is  the  inverse 
permutation  d = e_1.  To  decrypt  c = (C1C2  •••  ct),  compute  Dd(c)  = (cd(i)Cd(2)  ■ ■ ■ Cd(t))- 

A simple  transposition  cipher  preserves  the  number  of  symbols  of  a given  type  within 
a block,  and  thus  is  easily  cryptanalyzed. 
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1.5.3  Composition  of  ciphers 

In  order  to  describe  product  ciphers,  the  concept  of  composition  of  functions  is  introduced. 
Compositions  are  a convenient  way  of  constructing  more  complicated  functions  from  sim- 
pler ones. 

Composition  of  functions 

1 .33  Definition  Let  S , T.  and  U be  finite  sets  and  let  / : S — > T and  g : T — > U be  func- 
tions. The  composition  of  g with  /,  denoted  g o / (or  simply  <?/),  is  a function  from  S to 
U as  illustrated  in  Figure  1.8  and  defined  by  (g  o /)( x\  = g{f(x))  for  all  x e S. 


Figure  1.8:  The  composition  g o / of  functions  g and  f. 


Composition  can  be  easily  extended  to  more  than  two  functions.  For  functions  fi,  /2, 
...  . //,  one  can  define  ft  o ■ ■ ■ ° /2  ° fi,  provided  that  the  domain  of  ft  equals  the  codomain 
of  ft  i and  so  on. 

Compositions  and  involutions 

Involutions  were  introduced  in  § 1.3.3  as  a simple  class  of  functions  with  an  interesting  prop- 
erty: Ek  {Ek  (x))  = x for  all  x in  the  domain  of  Ek ; that  is,  Ek  ° Ek  is  the  identity  function. 


1 .34  Remark  ( composition  of  involutions)  The  composition  of  two  involutions  is  not  necessar- 
ily an  involution,  as  illustrated  in  Figure  1 .9.  However,  involutions  may  be  composed  to  get 
somewhat  more  complicated  functions  whose  inverses  are  easy  to  find.  This  is  an  important 
feature  for  decryption.  For  example  if  , Ek2 , . . . , Ekt  are  involutions  then  the  inverse 
of  Ek  = E^Efo  ■ ■ • Ekt  is  Ef1  = EktEkt_1  ■ ■ ■ Ek} , the  composition  of  the  involutions 
in  the  reverse  order. 


Figure  1.9:  The  composition  g o / of  involutions  g and  f is  not  an  involution. 


Handbook  of  Applied  Cryptography  by  A.  Menezes,  P.  van  Oorschot  and  S.  Vanstone. 


20 


Ch.  1 Overview  of  Cryptography 


Product  ciphers 

Simple  substitution  and  transposition  ciphers  individually  do  not  provide  a very  high  level 
of  security.  However,  by  combining  these  transformations  it  is  possible  to  obtain  strong  ci- 
phers. As  will  be  seen  in  Chapter  7 some  of  the  most  practical  and  effective  symmetric-key 
systems  are  product  ciphers.  One  example  of  a product  cipher  is  a composition  of  t > 2 
transformations  E kt  £©  ■ ■ ■ Ekt  where  each  E ^ , 1 < i < t , is  either  a substitution  or  a 
transposition  cipher.  For  the  purpose  of  this  introduction,  let  the  composition  of  a substitu- 
tion and  a transposition  be  called  a round. 

1 .35  Example  (product  cipher)  Let  A4  = C = 1C  be  the  set  of  all  binary  strings  of  length  six. 
The  number  of  elements  in  Ai  is  26  = 64.  Let  to  = (toiTO2  • • • mf)  and  define 

E\ ^ ^ (to)  = to  0 k,  where  k e 1C, 

E^fm)  = (TO4TO.5TO6TO1TO2TO3). 

Here,  0 is  the  exclusive-OR  (XOR)  operation  defined  as  follows:  000  = 0,  0©1  = 1, 
100  = 1,  1 0 1 =0.  E ^ is  a polyalphabetic  substitution  cipher  and  E ^ is  a trans- 
position cipher  (not  involving  the  key).  The  product  E^E^  is  a round.  While  here  the 
transposition  cipher  is  very  simple  and  is  not  determined  by  the  key,  this  need  not  be  the 
case.  □ 

1 .36  Remark  (confusion  and  diffusion ) A substitution  in  a round  is  said  to  add  confusion  to  the 
encryption  process  whereas  a transposition  is  said  to  add  diffusion.  Confusion  is  intended 
to  make  the  relationship  between  the  key  and  ciphertext  as  complex  as  possible.  Diffusion 
refers  to  rearranging  or  spreading  out  the  bits  in  the  message  so  that  any  redundancy  in  the 
plaintext  is  spread  out  over  the  ciphertext.  A round  then  can  be  said  to  add  both  confu- 
sion and  diffusion  to  the  encryption.  Most  modern  block  cipher  systems  apply  a number  of 
rounds  in  succession  to  encrypt  plaintext. 


1.5.4  Stream  ciphers 

Stream  ciphers  form  an  important  class  of  symmetric-key  encryption  schemes.  They  are,  in 
one  sense,  very  simple  block  ciphers  having  block  length  equal  to  one.  What  makes  them 
useful  is  the  fact  that  the  encryption  transformation  can  change  for  each  symbol  of  plain- 
text being  encrypted.  In  situations  where  transmission  errors  are  highly  probable,  stream 
ciphers  are  advantageous  because  they  have  no  error  propagation.  They  can  also  be  used 
when  the  data  must  be  processed  one  symbol  at  a time  (e.g.,  if  the  equipment  has  no  memory 
or  buffering  of  data  is  limited). 

1 .37  Definition  Let  K.  be  the  key  space  for  a set  of  encryption  transformations.  A sequence  of 
symbols  eie2e3  • • • e*  € /C,  is  called  a keystream. 

1 .38  Definition  Let  A be  an  alphabet  of  q symbols  and  let  E,  be  a simple  substitution  cipher 
with  block  length  1 where  e G 1C.  Let  771177127713  • • • be  a plaintext  string  and  let  eie2e3  • • • 
be  a keystream  from  1C.  A stream  cipher  takes  the  plaintext  string  and  produces  a ciphertext 
string  C1C2C3  • • • where  c,  = Ee.  ( TOj ).  If  di  denotes  the  inverse  of  e*,  then  D^fcf)  = to* 
decrypts  the  ciphertext  string. 
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A stream  cipher  applies  simple  encryption  transformations  according  to  the  keystream 
being  used.  The  keystream  could  be  generated  at  random,  or  by  an  algorithm  which  gen- 
erates the  keystream  from  an  initial  small  keystream  (called  a seed),  or  from  a seed  and 
previous  ciphertext  symbols.  Such  an  algorithm  is  called  a keystream  generator. 

The  Vernam  cipher 

A motivating  factor  for  the  Vernam  cipher  was  its  simplicity  and  ease  of  implementation. 

1 .39  Definition  The  Vernam  Cipher  is  a stream  cipher  defined  on  the  alphabet  A = {0, 1}.  A 
binary  message  toito.2  ■ ■ - rnt  is  operated  on  by  a binary  key  string  k\k-2  ■ ■ ■ kt  of  the  same 
length  to  produce  a ciphertext  string  cjca  ■ ■ ■ ct  where 

Ci  = IB;  0 kj,,  1 < i < t. 

If  the  key  string  is  randomly  chosen  and  never  used  again,  the  Vernam  cipher  is  called  a 
one-time  system  or  a one-time  pad. 

To  see  how  the  Vernam  cipher  corresponds  to  Definition  1.38,  observe  that  there  are 
precisely  two  substitution  ciphers  on  the  set  A.  One  is  simply  the  identity  map  E0  which 
sends  0 to  0 and  1 to  1;  the  other  Ei  sends  0 to  1 and  1 to  0.  When  the  keystream  contains 
a 0,  apply  E{]  to  the  corresponding  plaintext  symbol;  otherwise,  apply  E\ . 

If  the  key  string  is  reused  there  are  ways  to  attack  the  system.  For  example,  if  C1C2  ■ ■ ■ Q 
and  CjCg  ■ ■ ■ c't  are  two  ciphertext  strings  produced  by  the  same  keystream  k1k2--  -kt  then 

d = mi  0 fcj,  c'i  = m'i  0 ki 

and  ci  0 c[  = raj  0 to'.  The  redundancy  in  the  latter  may  permit  cryptanalysis. 

The  one-time  pad  can  be  shown  to  be  theoretically  unbreakable.  That  is,  if  a cryptana- 
lyst has  a ciphertext  string  c\C2  ■ ■ ■ ct  encrypted  using  a random  key  string  which  has  been 
used  only  once,  the  cryptanalyst  can  do  no  better  than  guess  at  the  plaintext  being  any  bi- 
nary string  of  length  t (i.e.,  f-bit  binary  strings  are  equally  likely  as  plaintext).  It  has  been 
proven  that  to  realize  an  unbreakable  system  requires  a random  key  of  the  same  length  as  the 
message.  This  reduces  the  practicality  of  the  system  in  all  but  a few  specialized  situations. 
Reportedly  until  very  recently  the  communication  line  between  Moscow  and  Washington 
was  secured  by  a one-time  pad.  Transport  of  the  key  was  done  by  trusted  courier. 


1 .5.5  The  key  space 

The  size  of  the  key  space  is  the  number  of  encryption/decryption  key  pairs  that  are  available 
in  the  cipher  system.  A key  is  typically  a compact  way  to  specify  the  encryption  transfor- 
mation (from  the  set  of  all  encryption  transformations)  to  be  used.  For  example,  a transpo- 
sition cipher  of  block  length  t has  t\  encryption  functions  from  which  to  select.  Each  can 
be  simply  described  by  a permutation  which  is  called  the  key. 

It  is  a great  temptation  to  relate  the  security  of  the  encryption  scheme  to  the  size  of  the 
key  space.  The  following  statement  is  important  to  remember. 

1 .40  Fact  A necessary,  but  usually  not  sufficient,  condition  for  an  encryption  scheme  to  be  se- 
cure is  that  the  key  space  be  large  enough  to  preclude  exhaustive  search. 

For  instance,  the  simple  substitution  cipher  in  Example  1 .25  has  a key  space  of  size 
26!  « 4 x 1026.  The  polyalphabetic  substitution  cipher  of  Example  1.31  has  a key  space 
of  size  (26!)3  ~ 7 y 10 ' 9 . Exhaustive  search  of  either  key  space  is  completely  infeasible, 
yet  both  ciphers  are  relatively  weak  and  provide  little  security. 
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1.6  Digital  signatures 

A cryptographic  primitive  which  is  fundamental  in  authentication,  authorization,  and  non- 
repudiation is  the  digital  signature.  The  purpose  of  a digital  signature  is  to  provide  a means 
for  an  entity  to  bind  its  identity  to  a piece  of  information.  The  process  of  signing  entails 
transforming  the  message  and  some  secret  information  held  by  the  entity  into  a tag  called 
a signature.  A generic  description  follows. 

Nomenclature  and  set-up 

• A4  is  the  set  of  messages  which  can  be  signed. 

• S is  a set  of  elements  called  signatures , possibly  binary  strings  of  a fixed  length. 

• Sa  is  a transformation  from  the  message  set  A4  to  the  signature  set  <S,  and  is  called 
a signing  transformation  for  entity  A.3  The  transformation  Sa  is  kept  secret  by  A, 
and  will  be  used  to  create  signatures  for  messages  from  A4. 

• Va  is  a transformation  from  the  set  A4  x S to  the  set  {true, false}.4  Va  is  called 
a verification  transformation  for  A’s  signatures,  is  publicly  known,  and  is  used  by 
other  entities  to  verify  signatures  created  by  A. 

1 .41  Definition  The  transformations  Sa  and  Va  provide  a digital  signature  scheme  for  A.  Oc- 
casionally the  term  digital  signature  mechanism  is  used. 

1 .42  Example  (digital  signature  scheme)  A4  = {mi,  m2,  m3}  and  S = {si,  S2,  S3}.  The  left 

side  of  Figure  1.10  displays  a signing  function  Sa  from  the  set  A4  and,  the  right  side,  the 
corresponding  verification  function  Va.  □ 


m 1 
m2 
m3 


s 3 
si 
S2 


Sa 


True 

False 


Figure  1.10:  A signing  and  verification  function  for  a digital  signature  scheme. 


3The  names  of  Alice  and  Bob  are  usually  abbreviated  to  A and  B,  respectively. 

4 A4  X S consists  of  all  pairs  (m,  s)  where  m 6 .VI , s 6 S,  called  the  Cartesian  product  of  Jvi  and  <S. 
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Signing  procedure 

Entity  A (the  signer)  creates  a signature  for  a message  to  G A4  by  doing  the  following: 

1.  Compute  s = Sa{jti). 

2.  Transmit  the  pair  (to,  s).  s is  called  the  signature  for  message  to. 

Verification  procedure 

To  verify  that  a signature  s on  a message  to  was  created  by  A,  an  entity  B (the  verifier) 
performs  the  following  steps: 

1.  Obtain  the  verification  function  Va  of  A. 

2.  Compute  u = VA{rn,  s). 

3.  Accept  the  signature  as  having  been  created  by  A if  u = true,  and  reject  the  signature 
if  u = false. 

1 .43  Remark  (concise  representation)  The  transformations  Sa  and  Va  are  typically  character- 
ized more  compactly  by  a key;  that  is,  there  is  a class  of  signing  and  verification  algorithms 
publicly  known,  and  each  algorithm  is  identified  by  a key.  Thus  the  signing  algorithm  Sa 
of  A is  determined  by  a key  Ica  and  A is  only  required  to  keep  k \ secret.  Similarly,  the 
verification  algorithm  Va  of  A is  determined  by  a key  l \ which  is  made  public. 

1 .44  Remark  ( handwritten  signatures)  Handwritten  signatures  could  be  interpreted  as  a spe- 
cial class  of  digital  signatures.  To  see  this,  take  the  set  of  signatures  S to  contain  only  one 
element  which  is  the  handwritten  signature  of  A,  denoted  by  .s,t.  The  verification  function 
simply  checks  if  the  signature  on  a message  purportedly  signed  by  A is  sa- 

An  undesirable  feature  in  Remark  1 .44  is  that  the  signature  is  not  message-dependent. 
Hence,  further  constraints  are  imposed  on  digital  signature  mechanisms  as  next  discussed. 

Properties  required  for  signing  and  verification  functions 

There  are  several  properties  which  the  signing  and  verification  transformations  must  satisfy. 

(a)  s is  a valid  signature  of  A on  message  to  if  and  only  if  Va(to,  s)  = true. 

(b)  It  is  computationally  infeasible  for  any  entity  other  than  A to  find,  for  any  to  C A4. 
an  s e S such  that  Va(to,  s ) = true. 

Figure  1.10  graphically  displays  property  (a).  There  is  an  arrowed  line  in  the  diagram 
for  Va  from  (to,,  . Sj ) to  true  provided  there  is  an  arrowed  line  from  m,  to  Sj  in  the  diagram 
for  Sa-  Property  (b)  provides  the  security  for  the  method  - the  signature  uniquely  binds  A 
to  the  message  which  is  signed. 

No  one  has  yet  formally  proved  that  digital  signature  schemes  satisfying  (b)  exist  (al- 
though existence  is  widely  believed  to  be  true);  however,  there  are  some  very  good  can- 
didates. §1.8.3  introduces  a particular  class  of  digital  signatures  which  arise  from  public- 
key  encryption  techniques.  Chapter  1 1 describes  a number  of  digital  signature  mechanisms 
which  are  believed  to  satisfy  the  two  properties  cited  above.  Although  the  description  of  a 
digital  signature  given  in  this  section  is  quite  general,  it  can  be  broadened  further,  as  pre- 
sented in  §11.2. 
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1.7  Authentication  and  identification 

Authentication  is  a term  which  is  used  (and  often  abused)  in  a very  broad  sense.  By  itself 
it  has  little  meaning  other  than  to  convey  the  idea  that  some  means  has  been  provided  to 
guarantee  that  entities  are  who  they  claim  to  be,  or  that  information  has  not  been  manip- 
ulated by  unauthorized  parties.  Authentication  is  specific  to  the  security  objective  which 
one  is  trying  to  achieve.  Examples  of  specific  objectives  include  access  control,  entity  au- 
thentication, message  authentication,  data  integrity,  non-repudiation,  and  key  authentica- 
tion. These  instances  of  authentication  are  dealt  with  at  length  in  Chapters  9 through  13. 
For  the  purposes  of  this  chapter,  it  suffices  to  give  a brief  introduction  to  authentication  by 
describing  several  of  the  most  obvious  applications. 

Authentication  is  one  of  the  most  important  of  all  information  security  objectives.  Un- 
til the  mid  1970s  it  was  generally  believed  that  secrecy  and  authentication  were  intrinsically 
connected.  With  the  discovery  of  hash  functions  (§1.9)  and  digital  signatures  (§1.6),  it  was 
realized  that  secrecy  and  authentication  were  truly  separate  and  independent  information 
security  objectives.  It  may  at  first  not  seem  important  to  separate  the  two  but  there  are  situ- 
ations where  it  is  not  only  useful  but  essential.  For  example,  if  a two-party  communication 
between  Alice  and  Bob  is  to  take  place  where  Alice  is  in  one  country  and  Bob  in  another, 
the  host  countries  might  not  permit  secrecy  on  the  channel;  one  or  both  countries  might 
want  the  ability  to  monitor  all  communications.  Alice  and  Bob,  however,  would  like  to  be 
assured  of  the  identity  of  each  other,  and  of  the  integrity  and  origin  of  the  information  they 
send  and  receive. 

The  preceding  scenario  illustrates  several  independent  aspects  of  authentication.  If  Al- 
ice and  Bob  desire  assurance  of  each  other’s  identity,  there  are  two  possibilities  to  consider. 

1 . Alice  and  Bob  could  be  communicating  with  no  appreciable  time  delay.  That  is,  they 
are  both  active  in  the  communication  in  “real  time”. 

2.  Alice  or  Bob  could  be  exchanging  messages  with  some  delay.  That  is,  messages 
might  be  routed  through  various  networks,  stored,  and  forwarded  at  some  later  time. 

In  the  first  instance  Alice  and  Bob  would  want  to  verify  identities  in  real  time.  This 
might  be  accomplished  by  Alice  sending  Bob  some  challenge,  to  which  Bob  is  the  only 
entity  which  can  respond  correctly.  Bob  could  perform  a similar  action  to  identify  Alice. 
This  type  of  authentication  is  commonly  referred  to  as  entity  authentication  or  more  simply 
identification. 

For  the  second  possibility,  it  is  not  convenient  to  challenge  and  await  response,  and 
moreover  the  communication  path  may  be  only  in  one  direction.  Different  techniques  are 
now  required  to  authenticate  the  originator  of  the  message.  This  form  of  authentication  is 
called  data  origin  authentication. 


1.7.1  Identification 

1 .45  Definition  An  identification  or  entity  authentication  technique  assures  one  party  (through 
acquisition  of  corroborative  evidence)  of  both  the  identity  of  a second  party  involved,  and 
that  the  second  was  active  at  the  time  the  evidence  was  created  or  acquired. 

Typically  the  only  data  transmitted  is  that  necessary  to  identify  the  communicating  par- 
ties. The  entities  are  both  active  in  the  communication,  giving  a timeliness  guarantee. 
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1 .46  Example  ( identification ) A calls  B on  the  telephone.  If  A and  B know  each  other  then 

entity  authentication  is  provided  through  voice  recognition.  Although  not  foolproof,  this 
works  effectively  in  practice.  □ 

1 .47  Example  ( identification ) Person  A provides  to  a banking  machine  a personal  identifica- 

tion number  (PIN)  along  with  a magnetic  stripe  card  containing  information  about  A.  The 
banking  machine  uses  the  information  on  the  card  and  the  PIN  to  verify  the  identity  of  the 
card  holder.  If  verification  succeeds,  A is  given  access  to  various  services  offered  by  the 
machine.  □ 

Example  1 .46  is  an  instance  of  mutual  authentication  whereas  Example  1 .47  only  pro- 
vides unilateral  authentication.  Numerous  mechanisms  and  protocols  devised  to  provide 
mutual  or  unilateral  authentication  are  discussed  in  Chapter  10. 


1.7.2  Data  origin  authentication 

1.48  Definition  Data  origin  authentication  or  message  authentication  techniques  provide  to 
one  party  which  receives  a message  assurance  ( through  corroborative  evidence)  of  the  iden- 
tity of  the  party  which  originated  the  message. 

Often  a message  is  provided  to  B along  with  additional  information  so  that  B can  de- 
termine the  identity  of  the  entity  who  originated  the  message.  This  form  of  authentication 
typically  provides  no  guarantee  of  timeliness,  but  is  useful  in  situations  where  one  of  the 
parties  is  not  active  in  the  communication. 

1 .49  Example  {need for  data  origin  authentication)  A sends  to  B an  electronic  mail  message 

(e-mail).  The  message  may  travel  through  various  network  communications  systems  and  be 
stored  for  B to  retrieve  at  some  later  time.  A and  B are  usually  not  in  direct  communication. 
B would  like  some  means  to  verify  that  the  message  received  and  purportedly  created  by 
A did  indeed  originate  from  A.  □ 

Data  origin  authentication  implicitly  provides  data  integrity  since,  if  the  message  was 
modified  during  transmission,  A would  no  longer  be  the  originator. 


1.8  Public-key  cryptography 

The  concept  of  public -key  encryption  is  simple  and  elegant,  but  has  far-reaching  conse- 
quences. 


1.8.1  Public-key  encryption 

Let  {Ee : e E 1C}  be  a set  of  encryption  transformations,  and  let  {Dd : d E 1C}  be  the  set  of 
corresponding  decryption  transformations,  where  1C  is  the  key  space.  Consider  any  pair  of 
associated  encryption/decryption  transformations  ( Ee , D,i)  and  suppose  that  each  pair  has 
the  property  that  knowing  Ee  it  is  computationally  infeasible,  given  a random  ciphertext 
c G C,  to  find  the  message  m E M.  such  that  Ee(m)  = c.  This  property  implies  that  given 
e it  is  infeasible  to  determine  the  corresponding  decryption  key  d.  (Of  course  e and  d are 
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simply  means  to  describe  the  encryption  and  decryption  functions,  respectively.)  Ee  is  be- 
ing viewed  here  as  a trapdoor  one-way  function  (Definition  1.16)  with  d being  the  trapdoor 
information  necessary  to  compute  the  inverse  function  and  hence  allow  decryption.  This  is 
unlike  symmetric-key  ciphers  where  e and  d are  essentially  the  same. 

Under  these  assumptions,  consider  the  two-party  communication  between  Alice  and 
Bob  illustrated  in  Figure  1.11.  Bob  selects  the  key  pair  (e,  d).  Bob  sends  the  encryption  key 
e (called  the  public  key)  to  Alice  over  any  channel  but  keeps  the  decryption  key  d (called  the 
private  key)  secure  and  secret.  Alice  may  subsequently  send  a message  m to  Bob  by  apply- 
ing the  encryption  transformation  determined  by  Bob’s  public  key  to  get  c = Ee  (m).  Bob 
decrypts  the  ciphertext  c by  applying  the  inverse  transformation  D,j  uniquely  determined 
by  d. 


Alice  Bob 


Figure  1.11 : Encryption  using  public-key  techniques. 


Notice  how  Figure  1.11  differs  from  Figure  1.7  for  a symmetric-key  cipher.  Here  the 
encryption  key  is  transmitted  to  Alice  over  an  unsecured  channel.  This  unsecured  channel 
may  be  the  same  channel  on  which  the  ciphertext  is  being  transmitted  (but  see  §1.8.2). 

Since  the  encryption  key  e need  not  be  kept  secret,  it  may  be  made  public.  Any  entity 
can  subsequently  send  encrypted  messages  to  Bob  which  only  Bob  can  decrypt.  Figure  1.12 
illustrates  this  idea,  where  A\,  A->.  and  A3  are  distinct  entities.  Note  that  if  A\  destroys 
message  mj  after  encrypting  it  to  ci,  then  even  A\  cannot  recover  m\  from  c\. 

As  a physical  analogue,  consider  a metal  box  with  the  lid  secured  by  a combination 
lock.  The  combination  is  known  only  to  Bob.  If  the  lock  is  left  open  and  made  publicly 
available  then  anyone  can  place  a message  inside  and  lock  the  lid.  Only  Bob  can  retrieve 
the  message.  Even  the  entity  which  placed  the  message  into  the  box  is  unable  to  retrieve  it. 

Public-key  encryption,  as  described  here,  assumes  that  knowledge  of  the  public  key  e 
does  not  allow  computation  of  the  private  key  d.  In  other  words,  this  assumes  the  existence 
of  trapdoor  one-way  functions  (§1.3.  l(iii)). 

1 .50  Definition  Consider  an  encryption  scheme  consisting  of  the  sets  of  encryption  and  decryp- 
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Ai 


A 2 


A3 


Figure  1. 12:  Schematic  use  of  public-key  encryption. 


tion  transformations  {Ee  : e € IC}  and  { D,i : d G /C},  respectively.  The  encryption  method 
is  said  to  be  a public-key  encryption  scheme  if  for  each  associated  encryption/decryption 
pair  (e,  d),  one  key  e (the  public  key ) is  made  publicly  available,  while  the  other  d (the  pri- 
vate key ) is  kept  secret.  For  the  scheme  to  be  secure,  it  must  be  computationally  infeasible 
to  compute  d from  e. 

1 .51  Remark  ( private  key  vs.  secret  key)  To  avoid  ambiguity,  a common  convention  is  to  use 
the  term  private  key  in  association  with  public-key  cryptosystems,  and  secret  key  in  associ- 
ation with  symmetric-key  cryptosystems.  This  may  be  motivated  by  the  following  line  of 
thought:  it  takes  two  or  more  parties  to  share  a secret,  but  a key  is  truly  private  only  when 
one  party  alone  knows  it. 

There  are  many  schemes  known  which  are  widely  believed  to  be  secure  public-key 
encryption  methods,  but  none  have  been  mathematically  proven  to  be  secure  independent 
of  qualifying  assumptions.  This  is  not  unlike  the  symmetric-key  case  where  the  only  system 
which  has  been  proven  secure  is  the  one-time  pad  (§1.5.4). 


1.8.2  The  necessity  of  authentication  in  public-key  systems 

It  would  appear  that  public -key  cryptography  is  an  ideal  system,  not  requiring  a secure  chan- 
nel to  pass  the  encryption  key.  This  would  imply  that  two  entities  could  communicate  over 
an  unsecured  channel  without  ever  having  met  to  exchange  keys.  Unfortunately,  this  is  not 
the  case.  Figure  1.13  illustrates  how  an  active  adversary  can  defeat  the  system  (decrypt 
messages  intended  for  a second  entity)  without  breaking  the  encryption  system.  This  is  a 
type  of  impersonation  and  is  an  example  of  protocol  failure  (see  §1.10).  In  this  scenario 
the  adversary  impersonates  entity  B by  sending  entity  A a public  key  e'  which  A assumes 
(incorrectly)  to  be  the  public  key  of  B.  The  adversary  intercepts  encrypted  messages  from 
A to  B.  decrypts  with  its  own  private  key  d' , re-encrypts  the  message  under  B' s public  key 
e,  and  sends  it  on  to  B.  This  highlights  the  necessity  to  authenticate  public  keys  to  achieve 
data  origin  authentication  of  the  public  keys  themselves.  A must  be  convinced  that  she  is 
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encrypting  under  the  legitimate  public  key  of  B.  Fortunately,  public -key  techniques  also 
allow  an  elegant  solution  to  this  problem  (see  §1.11). 


Adversary 


B 


Figure  1. 13:  An  impersonation  attack  on  a two-party  communication. 


1.8.3  Digital  signatures  from  reversible  public-key  encryption 

This  section  considers  a class  of  digital  signature  schemes  which  is  based  on  public-key 
encryption  systems  of  a particular  type. 

Suppose  Ee  is  a public-key  encryption  transformation  with  message  space  A4  and  ci- 
phertext space  C.  Suppose  further  that  A4  = C.  If  D,i  is  the  decryption  transformation 
corresponding  to  E,  then  since  Ee  and  D,j  are  both  permutations,  one  has 

Dd(Ee(rn))  = Ee(Dd(m))  = m,  for  all  m £ M.. 

A public-key  encryption  scheme  of  this  type  is  called  reversible ,5  Note  that  it  is  essential 
that  A4  = C for  this  to  be  a valid  equality  for  all  m £ A4;  otherwise,  Dd{m)  will  be 
meaningless  for  m $ C. 

5There  is  a broader  class  of  digital  signatures  which  can  be  informally  described  as  arising  from  irreversible 
cryptographic  algorithms.  These  are  described  in  § 1 1 .2. 
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Construction  for  a digital  signature  scheme 

1.  Let  Ai  be  the  message  space  for  the  signature  scheme. 

2.  Let  C = Ai  be  the  signature  space  S. 

3.  Let  (e,  d)  be  a key  pair  for  the  public-key  encryption  scheme. 

4.  Define  the  signing  function  Sa  to  be  D^.  That  is,  the  signature  for  a message  m E Ai 
is  s = Dd(rn). 

5.  Define  the  verification  function  Va  by 


VA(m, 


true, 

false, 


if  Ee(s ) = to, 

otherwise. 


The  signature  scheme  can  be  simplified  further  if  A only  signs  messages  having  a spe- 
cial structure,  and  this  structure  is  publicly  known.  Let  Ai'  be  a subset  of  Ai  where  ele- 
ments of  Ai'  have  a well-defined  special  structure,  such  that  A V contains  only  a negligi- 
ble fraction  of  messages  from  the  set.  For  example,  suppose  that  Ai  consists  of  all  binary 
strings  of  length  2 1 for  some  positive  integer  t.  Let  Ai'  be  the  subset  of  Ai  consisting  of  all 
strings  where  the  first  t bits  are  replicated  in  the  last  t positions  (e.g.,  101101  would  be  in 
Ai'  for  t = 3).  If  A only  signs  messages  within  the  subset  Ai' , these  are  easily  recognized 
by  a verifier. 

Redefine  the  verification  function  Va  as 


y t \ — f true > if  Ee(s)  e 

^ S \ false,  otherwise. 

Under  this  new  scenario  A only  needs  to  transmit  the  signature  s since  the  message  to  = 
Ee(s)  can  be  recovered  by  applying  the  verification  function.  Such  a scheme  is  called  a 
digital  signature  scheme  with  message  recovery.  Figure  1.14  illustrates  how  this  signature 
function  is  used.  The  feature  of  selecting  messages  of  special  structure  is  referred  to  as 
selecting  messages  with  redundancy. 


Signer  A 


Figure  1. 14:  A digital  signature  scheme  with  message  recovery. 


The  modification  presented  above  is  more  than  a simplification;  it  is  absolutely  crucial 
if  one  hopes  to  meet  the  requirement  of  property  (b)  of  signing  and  verification  functions 
(see  page  23).  To  see  why  this  is  the  case,  note  that  any  entity  B can  select  a random  ele- 
ment s e S as  a signature  and  apply  Ee  to  get  u = Ee(s),  since  S = Ai  and  Ee  is  public 
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knowledge.  B may  then  take  the  message  m = u and  the  signature  on  m to  be  s and  trans- 
mits (to,  .s).  It  is  easy  to  check  that  s will  verify  as  a signature  created  by  A for  to  but  in 
which  A has  had  no  part.  In  this  case  B has  forged  a signature  of  A.  This  is  an  example  of 
what  is  called  existential  forgery . (B  has  produced  A’s  signature  on  some  message  likely 
not  of  B' s choosing.) 

If  M.'  contains  only  a negligible  fraction  of  messages  from  A4 , then  the  probability  of 
some  entity  forging  a signature  of  A in  this  manner  is  negligibly  small. 

1 .52  Remark  ( digital  signatures  vs.  confidentiality ) Although  digital  signature  schemes  based 
on  reversible  public-key  encryption  are  attractive,  they  require  an  encryption  method  as  a 
primitive.  There  are  situations  where  a digital  signature  mechanism  is  required  but  encryp- 
tion is  forbidden.  In  such  cases  these  digital  signature  schemes  are  inappropriate. 

Digital  signatures  in  practice 

For  digital  signatures  to  be  useful  in  practice,  concrete  realizations  of  the  preceding  con- 
cepts should  have  certain  additional  properties.  A digital  signature  must 

1.  be  easy  to  compute  by  the  signer  (the  signing  function  should  be  easy  to  apply); 

2.  be  easy  to  verify  by  anyone  (the  verification  function  should  be  easy  to  apply);  and 

3.  have  an  appropriate  lifespan,  i.e.,  be  computationally  secure  from  forgery  until  the 
signature  is  no  longer  necessary  for  its  original  purpose. 

Resolution  of  disputes 

The  purpose  of  a digital  signature  (or  any  signature  method)  is  to  permit  the  resolution  of 
disputes.  For  example,  an  entity  A could  at  some  point  deny  having  signed  a message  or 
some  other  entity  B could  falsely  claim  that  a signature  on  a message  was  produced  by  A. 
In  order  to  overcome  such  problems  a trusted  third  party  (TTP)  or  judge  is  required.  The 
TTP  must  be  some  entity  which  all  parties  involved  agree  upon  in  advance. 

If  A denies  that  a message  to  held  by  B was  signed  by  A,  then  B should  be  able  to 
present  the  signature  ,s,i  for  to  to  the  TTP  along  with  to.  The  TTP  rules  in  favor  of  B if 
Va  (to,  sa)  = true  and  in  favor  of  A otherwise.  B will  accept  the  decision  if  B is  confident 
that  the  TTP  has  the  same  verifying  transformation  Va  as  A does.  A will  accept  the  decision 
if  A is  confident  that  the  TTP  used  Va  and  that  Sa  has  not  been  compromised.  Therefore, 
fair  resolution  of  disputes  requires  that  the  following  criteria  are  met. 

Requirements  for  resolution  of  disputed  signatures 

1.  Sa  and  Va  have  properties  (a)  and  (b)  of  page  23. 

2.  The  TTP  has  an  authentic  copy  of  Va. 

3.  The  signing  transformation  Sa  has  been  kept  secret  and  remains  secure. 

These  properties  are  necessary  but  in  practice  it  might  not  be  possible  to  guarantee 
them.  For  example,  the  assumption  that  Sa  and  Va  have  the  desired  characteristics  given 
in  property  1 might  turn  out  to  be  false  for  a particular  signature  scheme.  Another  possi- 
bility is  that  A claims  falsely  that  Sa  was  compromised.  To  overcome  these  problems  re- 
quires an  agreed  method  to  validate  the  time  period  for  which  A will  accept  responsibility 
for  the  verification  transformation.  An  analogue  of  this  situation  can  be  made  with  credit 
card  revocation.  The  holder  of  a card  is  responsible  until  the  holder  notifies  the  card  issuing 
company  that  the  card  has  been  lost  or  stolen.  §13.8.2  gives  a more  indepth  discussion  of 
these  problems  and  possible  solutions. 
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1.8.4  Symmetric-key  vs.  public-key  cryptography 

Symmetric-key  and  public-key  encryption  schemes  have  various  advantages  and  disadvan- 
tages, some  of  which  are  common  to  both.  This  section  highlights  a number  of  these  and 
summarizes  features  pointed  out  in  previous  sections. 

(i)  Advantages  of  symmetric-key  cryptography 

1.  Symmetric-key  ciphers  can  be  designed  to  have  high  rates  of  data  throughput.  Some 
hardware  implementations  achieve  encrypt  rates  of  hundreds  of  megabytes  per  sec- 
ond, while  software  implementations  may  attain  throughput  rates  in  the  megabytes 
per  second  range. 

2.  Keys  for  symmetric-key  ciphers  are  relatively  short. 

3.  Symmetric-key  ciphers  can  be  employed  as  primitives  to  construct  various  crypto- 
graphic mechanisms  including  pseudorandom  number  generators  (see  Chapter  5), 
hash  functions  (see  Chapter  9),  and  computationally  efficient  digital  signature  sch- 
emes (see  Chapter  11),  to  name  just  a few. 

4.  Symmetric-key  ciphers  can  be  composed  to  produce  stronger  ciphers.  Simple  trans- 
formations which  are  easy  to  analyze,  but  on  their  own  weak,  can  be  used  to  construct 
strong  product  ciphers. 

5.  Symmetric-key  encryption  is  perceived  to  have  an  extensive  history,  although  it  must 
be  acknowledged  that,  notwithstanding  the  invention  of  rotor  machines  earlier,  much 
of  the  knowledge  in  this  area  has  been  acquired  subsequent  to  the  invention  of  the 
digital  computer,  and,  in  particular,  the  design  of  the  Data  Encryption  Standard  ( see 
Chapter  7)  in  the  early  1970s. 

(ii)  Disadvantages  of  symmetric-key  cryptography 

1.  In  a two-party  communication,  the  key  must  remain  secret  at  both  ends. 

2.  In  a large  network,  there  are  many  key  pairs  to  be  managed.  Consequently,  effective 
key  management  requires  the  use  of  an  unconditionally  trusted  TTP  ( Definition  1 .65). 

3.  In  a two-party  communication  between  entities  A and  B,  sound  cryptographic  prac- 
tice dictates  that  the  key  be  changed  frequently,  and  perhaps  for  each  communication 
session. 

4.  Digital  signature  mechanisms  arising  from  symmetric-key  encryption  typically  re- 
quire either  large  keys  for  the  public  verification  function  or  the  use  of  a TTP  (see 
Chapter  11). 

(iii)  Advantages  of  public-key  cryptography 

1 . Only  the  private  key  must  be  kept  secret  (authenticity  of  public  keys  must,  however, 
be  guaranteed). 

2.  The  administration  of  keys  on  a network  requires  the  presence  of  only  a functionally 
trusted  TTP  ( Definition  1 .66)  as  opposed  to  an  unconditionally  trusted  TTP.  Depend- 
ing on  the  mode  of  usage,  the  TTP  might  only  be  required  in  an  “off-line”  manner, 
as  opposed  to  in  real  time. 

3.  Depending  on  the  mode  of  usage,  a private  key/public  key  pair  may  remain  unchang- 
ed for  considerable  periods  of  time,  e.g.,  many  sessions  (even  several  years). 

4.  Many  public-key  schemes  yield  relatively  efficient  digital  signature  mechanisms. 
The  key  used  to  describe  the  public  verification  function  is  typically  much  smaller 
than  for  the  symmetric-key  counterpart. 
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5.  In  a large  network,  the  number  of  keys  necessary  may  be  considerably  smaller  than 
in  the  symmetric-key  scenario. 

(iv)  Disadvantages  of  public-key  encryption 

1 . Throughput  rates  for  the  most  popular  public-key  encryption  methods  are  several  or- 
ders of  magnitude  slower  than  the  best  known  symmetric-key  schemes. 

2.  Key  sizes  are  typically  much  larger  than  those  required  for  symmetric-key  encryption 
(see  Remark  1.53),  and  the  size  of  public-key  signatures  is  larger  than  that  of  tags 
providing  data  origin  authentication  from  symmetric-key  techniques. 

3.  No  public-key  scheme  has  been  proven  to  be  secure  (the  same  can  be  said  for  block 
ciphers).  The  most  effective  public-key  encryption  schemes  found  to  date  have  their 
security  based  on  the  presumed  difficulty  of  a small  set  of  number-theoretic  problems. 

4.  Public-key  cryptography  does  not  have  as  extensive  a history  as  symmetric-key  en- 
cryption, being  discovered  only  in  the  mid  1970s.6 

Summary  of  comparison 

Symmetric-key  and  public-key  encryption  have  a number  of  complementary  advantages. 
Current  cryptographic  systems  exploit  the  strengths  of  each.  An  example  will  serve  to  il- 
lustrate. 

Public-key  encryption  techniques  may  be  used  to  establish  a key  for  a symmetric-key 
system  being  used  by  communicating  entities  A and  13.  In  this  scenario  A and  B can  take 
advantage  of  the  long  term  nature  of  the  public/private  keys  of  the  public-key  scheme  and 
the  performance  efficiencies  of  the  symmetric-key  scheme.  Since  data  encryption  is  fre- 
quently the  most  time  consuming  part  of  the  encryption  process,  the  public-key  scheme  for 
key  establishment  is  a small  fraction  of  the  total  encryption  process  between  A and  13. 

To  date,  the  computational  performance  of  public-key  encryption  is  inferior  to  that  of 
symmetric-key  encryption.  There  is,  however,  no  proof  that  this  must  be  the  case.  The 
important  points  in  practice  are: 

1 . public-key  cryptography  facilitates  efficient  signatures  (particularly  non-repudiation ) 
and  key  mangement;  and 

2.  symmetric-key  cryptography  is  efficient  for  encryption  and  some  data  integrity  ap- 
plications. 

1 .53  Remark  (key  sizes:  symmetric  key  vs.  private  key)  Private  keys  in  public-key  systems 
must  be  larger  (e.g.,  1024  bits  for  RSA)  than  secret  keys  in  symmetric-key  systems  (e.g.,  64 
or  1 28  bits)  because  whereas  ( for  secure  algorithms)  the  most  efficient  attack  on  symmetric- 
key  systems  is  an  exhaustive  key  search,  all  known  public-key  systems  are  subject  to  “short- 
cut” attacks  (e.g.,  factoring)  more  efficient  than  exhaustive  search.  Consequently,  for  equiv- 
alent security,  symmetric  keys  have  bitlengths  considerably  smaller  than  that  of  private  keys 
in  public-key  systems,  e.g.,  by  a factor  of  10  or  more. 


6 It  is,  of  course,  arguable  that  some  public-key  schemes  which  are  based  on  hard  mathematical  problems  have 
a long  history  since  these  problems  have  been  studied  for  many  years.  Although  this  may  be  true,  one  must  be 
wary  that  the  mathematics  was  not  studied  with  this  application  in  mind. 
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1.9  Hash  functions 

One  of  the  fundamental  primitives  in  modem  cryptography  is  the  cryptographic  hash  func- 
tion, often  informally  called  a one-way  hash  function.  A simplified  definition  for  the  present 
discussion  follows. 

1 .54  Definition  A hash  function  is  a computationally  efficient  function  mapping  binary  strings 
of  arbitrary  length  to  binary  strings  of  some  fixed  length,  called  hash-values . 

For  a hash  function  which  outputs  n-bit  hash-values  (e.g.,  n = 128  or  160)  and  has  de- 
sirable properties,  the  probability  that  a randomly  chosen  string  gets  mapped  to  a particular 
n-bit  hash-value  (image)  is  2 ",  The  basic  idea  is  that  a hash-value  serves  as  a compact 
representative  of  an  input  string.  To  be  of  cryptographic  use,  a hash  function  h is  typically 
chosen  such  that  it  is  computationally  infeasible  to  find  two  distinct  inputs  which  hash  to  a 
common  value  (i.e.,  two  colliding  inputs  x and  y such  that  h(x)  = h(y)),  and  that  given 
a specific  hash-value  y,  it  is  computationally  infeasible  to  find  an  input  (pre-image)  x such 
that  h(x)  = y. 

The  most  common  cryptographic  uses  of  hash  functions  are  with  digital  signatures  and 
for  data  integrity.  With  digital  signatures,  a long  message  is  usually  hashed  (using  a pub- 
licly available  hash  function)  and  only  the  hash-value  is  signed.  The  party  receiving  the 
message  then  hashes  the  received  message,  and  verifies  that  the  received  signature  is  cor- 
rect for  this  hash-value.  This  saves  both  time  and  space  compared  to  signing  the  message 
directly,  which  would  typically  involve  splitting  the  message  into  appropriate-sized  blocks 
and  signing  each  block  individually.  Note  here  that  the  inability  to  find  two  messages  with 
the  same  hash-value  is  a security  requirement,  since  otherwise,  the  signature  on  one  mes- 
sage hash-value  would  be  the  same  as  that  on  another,  allowing  a signer  to  sign  one  message 
and  at  a later  point  in  time  claim  to  have  signed  another. 

Hash  functions  may  be  used  for  data  integrity  as  follows.  The  hash-value  correspond- 
ing to  a particular  input  is  computed  at  some  point  in  time.  The  integrity  of  this  hash-value 
is  protected  in  some  manner.  At  a subsequent  point  in  time,  to  verify  that  the  input  data 
has  not  been  altered,  the  hash-value  is  recomputed  using  the  input  at  hand,  and  compared 
for  equality  with  the  original  hash-value.  Specific  applications  include  virus  protection  and 
software  distribution. 

A third  application  of  hash  functions  is  their  use  in  protocols  involving  a priori  com- 
mitments, including  some  digital  signature  schemes  and  identification  protocols  (e.g.,  see 
Chapter  10). 

Hash  functions  as  discussed  above  are  typically  publicly  known  and  involve  no  secret 
keys.  When  used  to  detect  whether  the  message  input  has  been  altered,  they  are  called  modi- 
fication detection  codes  (MDCs).  Related  to  these  are  hash  functions  which  involve  a secret 
key,  and  provide  data  origin  authentication  (§9.76)  as  well  as  data  integrity;  these  are  called 
message  authentication  codes  (MACs). 


1.10  Protocols  and  mechanisms 

1 .55  Definition  A cryptographic  protocol  (protocol)  is  a distributed  algorithm  defined  by  a se- 
quence of  steps  precisely  specifying  the  actions  required  of  two  or  more  entities  to  achieve 
a specific  security  objective. 
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1 .56  Remark  (protocol  vs.  mechanism)  As  opposed  to  a protocol,  a mechanism  is  a more  gen- 
eral term  encompassing  protocols,  algorithms  (specifying  the  steps  followed  by  a single  en- 
tity), and  non-cryptographic  techniques  (e.g.,  hardware  protection  and  procedural  controls) 
to  achieve  specific  security  objectives. 

Protocols  play  a major  role  in  cryptography  and  are  essential  in  meeting  cryptographic 
goals  as  discussed  in  §1.2.  Encryption  schemes,  digital  signatures,  hash  functions,  and  ran- 
dom number  generation  are  among  the  primitives  which  may  be  utilized  to  build  a protocol. 

1 .57  Example  (a  simple  key  agreement  protocol)  Alice  and  Bob  have  chosen  a symmetric-key 
encryption  scheme  to  use  in  communicating  over  an  unsecured  channel.  To  encrypt  infor- 
mation they  require  a key.  The  communication  protocol  is  the  following: 

1 . Bob  constructs  a public-key  encryption  scheme  and  sends  his  public  key  to  Alice  over 
the  channel. 

2.  Alice  generates  a key  for  the  symmetric-key  encryption  scheme. 

3.  Alice  encrypts  the  key  using  Bob’s  public  key  and  sends  the  encrypted  key  to  Bob. 

4.  Bob  decrypts  using  his  private  key  and  recovers  the  symmetric  (secret)  key. 

5.  Alice  and  Bob  begin  communicating  with  privacy  by  using  the  symmetric-key  sys- 
tem and  the  common  secret  key. 

This  protocol  uses  basic  functions  to  attempt  to  realize  private  communications  on  an  unse- 
cured channel.  The  basic  primitives  are  the  symmetric-key  and  the  public-key  encryption 
schemes.  The  protocol  has  shortcomings  including  the  impersonation  attack  of  §1.8.2,  but 
it  does  convey  the  idea  of  a protocol.  □ 

Often  the  role  of  public-key  encryption  in  privacy  communications  is  exactly  the  one 
suggested  by  this  protocol  - public-key  encryption  is  used  as  a means  to  exchange  keys 
for  subsequent  use  in  symmetric-key  encryption,  motivated  by  performance  differences  be- 
tween symmetric-key  and  public-key  encryption. 

Protocol  and  mechanism  failure 

1 .58  Definition  A protocolfailure  or  mechanism  failure  occurs  when  a mechanism  fails  to  meet 
the  goals  for  which  it  was  intended,  in  a manner  whereby  an  adversary  gains  advantage 
not  by  breaking  an  underlying  primitive  such  as  an  encryption  algorithm  directly,  but  by 
manipulating  the  protocol  or  mechanism  itself. 

1.59  Example  (mechanism  failure)  Alice  and  Bob  are  communicating  using  a stream  cipher. 

Messages  which  they  encrypt  are  known  to  have  a special  form:  the  first  twenty  bits  carry 
information  which  represents  a monetary  amount.  An  active  adversary  can  simply  XOR  an 
appropriate  bitstring  into  the  first  twenty  bits  of  ciphertext  and  change  the  amount.  While 
the  adversary  has  not  been  able  to  read  the  underlying  message,  she  has  been  able  to  alter 
the  transmission.  The  encryption  has  not  been  compromised  but  the  protocol  has  failed  to 
perform  adequately;  the  inherent  assumption  that  encryption  provides  data  integrity  is  in- 
correct. □ 

1 .60  Example  (forward  search  attack)  Suppose  that  in  an  electronic  bank  transaction  the  32- 
bit  held  which  records  the  value  of  the  transaction  is  to  be  encrypted  using  a public-key 
scheme.  This  simple  protocol  is  intended  to  provide  privacy  of  the  value  held  - but  does 
it?  An  adversary  could  easily  take  all  232  possible  entries  that  could  be  plaintext  in  this  held 
and  encrypt  them  using  the  public  encryption  function.  (Remember  that  by  the  very  nature 
of  public-key  encryption  this  function  must  be  available  to  the  adversary.)  By  comparing 
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each  of  the  232  ciphertexts  with  the  one  which  is  actually  encrypted  in  the  transaction,  the 
adversary  can  determine  the  plaintext.  Here  the  public-key  encryption  function  is  not  com- 
promised, but  rather  the  way  it  is  used.  A closely  related  attack  which  applies  directly  to 
authentication  for  access  control  purposes  is  the  dictionary  attack  (see  §10.2.2).  □ 

1 .61  Remark  (causes  of  protocol  failure)  Protocols  and  mechanisms  may  fail  for  a number  of 
reasons,  including: 

1 . weaknesses  in  a particular  cryptographic  primitive  which  may  be  amplified  by  the 
protocol  or  mechanism; 

2.  claimed  or  assumed  security  guarantees  which  are  overstated  or  not  clearly  under- 
stood; and 

3.  the  oversight  of  some  principle  applicable  to  a broad  class  of  primitives  such  as  en- 
cryption. 

Example  1.59  illustrates  item  2 if  the  stream  cipher  is  the  one-time  pad,  and  also  item  1. 
Example  1.60  illustrates  item  3.  See  also  §1.8.2. 

1 .62  Remark  (protocol  design)  When  designing  cryptographic  protocols  and  mechanisms,  the 
following  two  steps  are  essential: 

1.  identify  all  assumptions  in  the  protocol  or  mechanism  design;  and 

2.  for  each  assumption,  determine  the  effect  on  the  security  objective  if  that  assumption 
is  violated. 


1.11  Key  establishment,  management,  and 
certification 

This  section  gives  a brief  introduction  to  methodology  for  ensuring  the  secure  distribution 
of  keys  for  cryptographic  purposes. 

1 .63  Definition  Key  establishment  is  any  process  whereby  a shared  secret  key  becomes  avail- 
able to  two  or  more  parties,  for  subsequent  cryptographic  use. 

1.64  Definition  Key  management  is  the  set  of  processes  and  mechanisms  which  support  key 
establishment  and  the  maintenance  of  ongoing  keying  relationships  between  parties,  includ- 
ing replacing  older  keys  with  new  keys  as  necessary. 

Key  establishment  can  be  broadly  subdivided  into  key  agreement  and  key  transport. 
Many  and  various  protocols  have  been  proposed  to  provide  key  establishment.  Chapter  12 
describes  a number  of  these  in  detail.  For  the  purpose  of  this  chapter  only  a brief  overview  of 
issues  related  to  key  management  will  be  given.  Simple  architectures  based  on  symmetric- 
key  and  public-key  cryptography  along  with  the  concept  of  certification  will  be  addressed. 

As  noted  in  § 1.5,  a major  issue  when  using  symmetric-key  techniques  is  the  establish- 
ment of  pairwise  secret  keys.  This  becomes  more  evident  when  considering  a network  of 
entities,  any  twoof  which  may  wish  to  communicate.  Figure  1.15  illustrates  a network  con- 
sisting of  6 entities.  The  arrowed  edges  indicate  the  15  possible  two-party  communications 
which  could  take  place.  Since  each  pair  of  entities  wish  to  communicate,  this  small  net- 
work requires  the  secure  exchange  of  (!')  = 15  key  pairs.  In  a network  with  n entities,  the 
number  of  secure  key  exchanges  required  is  Q)  = n^n2  ^ . 
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Figure  1. 15:  Keying  relationships  in  a simple  6-party  network. 


The  network  diagram  depicted  in  Figure  1.15  is  simply  the  amalgamation  of  15  two- 
party  communications  as  depicted  in  Figure  1.7.  In  practice,  networks  are  very  large  and 
the  key  management  problem  is  a crucial  issue.  There  are  a number  of  ways  to  handle  this 
problem.  Two  simplistic  methods  are  discussed;  one  based  on  symmetric-key  and  the  other 
on  public -key  techniques. 


1.11.1  Key  management  through  symmetric-key  techniques 

One  solution  which  employs  symmetric-key  techniques  involves  an  entity  in  the  network 
which  is  trusted  by  all  other  entities.  As  in  §1.8.3,  this  entity  is  referred  to  as  a trusted  third 
party  (TTP).  Each  entity  A,  shares  a distinct  symmetric  key  k,  with  the  TTP.  These  keys  are 
assumed  to  have  been  distributed  over  a secured  channel.  If  two  entities  subsequently  wish 
to  communicate,  the  TTP  generates  a key  k (sometimes  called  a session  key ) and  sends  it 
encrypted  under  each  of  the  fixed  keys  as  depicted  in  Figure  1.16  for  entities  A\  and  A$. 


Ai  A 2 


Figure  1.16:  Key  management  using  a trusted  third  party  (TTP). 


Advantages  of  this  approach  include: 

1.  It  is  easy  to  add  and  remove  entities  from  the  network. 

2.  Each  entity  needs  to  store  only  one  long-term  secret  key. 
Disadvantages  include: 

1.  All  communications  require  initial  interaction  with  the  TTP. 

2.  The  TTP  must  store  n long-term  secret  keys. 
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3.  The  TTP  has  the  ability  to  read  all  messages. 

4.  If  the  TTP  is  compromised,  all  communications  are  insecure. 


1.11.2  Key  management  through  public-key  techniques 

There  are  a number  of  ways  to  address  the  key  management  problem  through  public-key 
techniques.  Chapter  13  describes  many  of  these  in  detail.  For  the  purpose  of  this  chapter  a 
very  simple  model  is  considered. 

Each  entity  in  the  network  has  a public/private  encryption  key  pair.  The  public  key 
along  with  the  identity  of  the  entity  is  stored  in  a central  repository  called  a public  file.  If 
an  entity  A\  wishes  to  send  encrypted  messages  to  entity  As,  A-[  retrieves  the  public  key 
t'o  of  Aij  from  the  public  file,  encrypts  the  message  using  this  key,  and  sends  the  ciphertext 
to  Aq . Figure  1.17  depicts  such  a network. 


Ai 


As 


A2 

private  key  d2 


A3 

private  key  d3 


A4 


private  key  d5 

private  key  d4 

Figure  1.17:  Key  management  using  public-key  techniques. 


Advantages  of  this  approach  include: 

1.  No  trusted  third  party  is  required. 

2.  The  public  file  could  reside  with  each  entity. 

3.  Only  n public  keys  need  to  be  stored  to  allow  secure  communications  between  any 
pair  of  entities,  assuming  the  only  attack  is  that  by  a passive  adversary. 

The  key  management  problem  becomes  more  difficult  when  one  must  take  into  account 
an  adversary  who  is  active  (i.e.  an  adversary  who  can  alter  the  public  file  containing  public 
keys).  Figure  1.18  illustrates  how  an  active  adversary  could  compromise  the  key  manage- 
ment scheme  given  above.  (This  is  directly  analogous  to  the  attack  in  §1.8.2.)  In  the  figure, 
the  adversary  alters  the  public  file  by  replacing  the  public  key  e6  of  entity  Aq  by  the  adver- 
sary’s public  key  e*.  Any  message  encrypted  for  Aq  using  the  public  key  from  the  public 
file  can  be  decrypted  by  only  the  adversary.  Having  decrypted  and  read  the  message,  the 
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adversary  can  now  encrypt  it  using  the  public  key  of  At,  and  forward  the  ciphertext  to  At, . 
A\  however  believes  that  only  At,  can  decrypt  the  ciphertext  c. 


Ai  Public  file 


Figure  1.18:  An  impersonation  of  Aq  by  an  active  adversary  with  public  key  e*. 


To  prevent  this  type  of  attack,  the  entities  may  use  a TTP  to  certify  the  public  key  of 
each  entity.  The  TTP  has  a private  signing  algorithm  St  and  a verification  algorithm  Vt 
(see  §1.6)  assumed  to  be  known  by  all  entities.  The  TTP  carefully  verifies  the  identity  of 
each  entity,  and  signs  a message  consisting  of  an  identifier  and  the  entity’s  authentic  public 
key.  This  is  a simple  example  of  a certificate,  binding  the  identity  of  an  entity  to  its  public 
key  (see  §1.11.3).  Figure  1.19  illustrates  the  network  under  these  conditions.  A\  uses  the 
public  key  of  Aq  only  if  the  certificate  signature  verifies  successfully. 


Ai 


Figure  1. 19:  Authentication  of  public  keys  by  a TTP.  ||  denotes  concatenation. 


Advantages  of  using  a TTP  to  maintain  the  integrity  of  the  public  file  include: 

1 . It  prevents  an  active  adversary  from  impersonation  on  the  network. 

2.  The  TTP  cannot  monitor  communications.  Entities  need  trust  the  TTP  only  to  bind 
identities  to  public  keys  properly. 

3.  Per-communication  interaction  with  the  public  file  can  be  eliminated  if  entities  store 
certificates  locally. 

Even  with  a TTP,  some  concerns  still  remain: 

1.  If  the  signing  key  of  the  TTP  is  compromised,  all  communications  become  insecure. 

2.  All  trust  is  placed  with  one  entity. 
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1.11.3  Trusted  third  parties  and  public-key  certificates 

A trusted  third  party  has  been  used  in  §1.8.3  and  again  here  in  §1.11.  The  trust  placed  on 
this  entity  varies  with  the  way  it  is  used,  and  hence  motivates  the  following  classification. 

1 .65  Definition  A TTP  is  said  to  be  unconditionally  trusted  if  it  is  trusted  on  all  matters.  For 
example,  it  may  have  access  to  the  secret  and  private  keys  of  users,  as  well  as  be  charged 
with  the  association  of  public  keys  to  identifiers. 

1 .66  Definition  A TTP  is  said  to  be  functionally  trusted  if  the  entity  is  assumed  to  be  honest 
and  fair  but  it  does  not  have  access  to  the  secret  or  private  keys  of  users. 

§1.11.1  provides  a scenario  which  employs  an  unconditionally  trusted  TTP.  §1.11.2 
uses  a functionally  trusted  TTP  to  maintain  the  integrity  of  the  public  file.  A functionally 
trusted  TTP  could  be  used  to  register  or  certify  users  and  contents  of  documents  or,  as  in 
§1.8.3,  as  a judge. 

Public-key  certificates 

The  distribution  of  public  keys  is  generally  easier  than  that  of  symmetric  keys,  since  secrecy 
is  not  required.  However,  the  integrity  (authenticity)  of  public  keys  is  critical  (recall  §1.8.2). 

A public-key  certificate  consists  of  a data  part  and  a signature  part.  The  data  part  con- 
sists of  the  name  of  an  entity,  the  public  key  corresponding  to  that  entity,  possibly  additional 
relevant  information  (e.g.,  the  entity’s  street  or  network  address,  a validity  period  for  the 
public  key,  and  various  other  attributes).  The  signature  part  consists  of  the  signature  of  a 
TTP  over  the  data  part. 

In  order  for  an  entity  B to  verify  the  authenticity  of  the  public  key  of  an  entity  A , B 
must  have  an  authentic  copy  of  the  public  signature  verification  function  of  the  TTP.  For 
simplicity,  assume  that  the  authenticity  of  this  verification  function  is  provided  to  B by  non- 
cryptographic means,  for  example  by  B obtaining  it  from  the  TTP  in  person.  B can  then 
carry  out  the  following  steps: 

1.  Acquire  the  public-key  certificate  of  A over  some  unsecured  channel,  either  from  a 
central  database  of  certificates,  from  A directly,  or  otherwise. 

2.  Use  the  TTP’s  verification  function  to  verify  the  TTP’s  signature  on  A’s  certificate. 

3.  If  this  signature  verifies  correctly,  accept  the  public  key  in  the  certificate  as  A’s  au- 
thentic public  key;  otherwise,  assume  the  public  key  is  invalid. 

Before  creating  a public-key  certificate  for  A.  the  TTP  must  take  appropriate  measures 
to  verify  the  identity  of  A and  the  fact  that  the  public  key  to  be  certificated  actually  belongs 
to  A.  One  method  is  to  require  that  A appear  before  the  TTP  with  a conventional  passport 
as  proof  of  identity,  and  obtain  ,4’s  public  key  from  A in  person  along  with  evidence  that 
A knows  the  corresponding  private  key.  Once  the  TTP  creates  a certificate  for  a party,  the 
trust  that  all  other  entities  have  in  the  authenticity  of  the  TTP’s  public  key  can  be  used  tran- 
sitively to  gain  trust  in  the  authenticity  of  that  party’s  public  key,  through  acquisition  and 
verification  of  the  certificate. 


1.12  Pseudorandom  numbers  and  sequences 

Random  number  generation  is  an  important  primitive  in  many  cryptographic  mechanisms. 
For  example,  keys  for  encryption  transformations  need  to  be  generated  in  a manner  which  is 
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unpredictable  to  an  adversary.  Generating  a random  key  typically  involves  the  selection  of 
random  numbers  or  bit  sequences.  Random  number  generation  presents  challenging  issues. 
A brief  introduction  is  given  here  with  details  left  to  Chapter  5. 

Often  in  cryptographic  applications,  one  of  the  following  steps  must  be  performed: 

(i)  From  a finite  set  of  n elements  (e.g.,  {1,2,...  , n}),  select  an  element  at  random. 

(ii)  From  the  set  of  all  sequences  (strings)  of  length  m over  some  finite  alphabet  A of  n 
symbols,  select  a sequence  at  random. 

(iii)  Generate  a random  sequence  (string)  of  symbols  of  length  m over  a set  of  n symbols. 
It  is  not  clear  what  exactly  it  means  to  select  at  random  or  generate  at  random.  Calling  a 
number  random  without  a context  makes  little  sense.  Is  the  number  23  a random  number? 
No,  but  if  49  identical  balls  labeled  with  a number  from  1 to  49  are  in  a container,  and  this 
container  mixes  the  balls  uniformly,  drops  one  ball  out,  and  this  ball  happens  to  be  labeled 
with  the  number  23,  then  one  would  say  that  23  was  generated  randomly  from  a uniform 
distribution.  The  probability  that  23  drops  out  is  1 in  49  or 

If  the  number  on  the  ball  which  was  dropped  from  the  container  is  recorded  and  the  ball 
is  placed  back  in  the  container  and  the  process  repeated  6 times,  then  a random  sequence 
of  length  6 defined  on  the  alphabet  A = {1,2,...  , 49}  will  have  been  generated.  What  is 
the  chance  that  the  sequence  17, 45, 1,  7,  23, 35  occurs?  Since  each  element  in  the  sequence 
has  probability  of  occuring,  the  probability  of  the  sequence  17,  45, 1,  7,  23,  35  occurring 
is 

1 1 1 1 1 1 _ 1 
49X49X49X49X49X49_  13841287201' 

There  are  precisely  13841287201  sequences  of  length  6 over  the  alphabet  A.  If  each  of 
these  sequences  is  written  on  one  of  13841287201  balls  and  they  are  placed  in  the  container 
( first  removing  the  original  49  balls)  then  the  chance  that  the  sequence  given  above  drops 
out  is  the  same  as  if  it  were  generated  one  ball  at  a time.  Hence,  (ii)  and  (iii)  above  are 
essentially  the  same  statements. 

Finding  good  methods  to  generate  random  sequences  is  difficult. 

1 .67  Example  (random  sequence  generator)  To  generate  a random  sequence  of  0’s  and  l’s,  a 

coin  could  be  tossed  with  a head  landing  up  recorded  as  a 1 and  a tail  as  a 0.  It  is  assumed 
that  the  coin  is  unbiased,  which  means  that  the  probability  of  a 1 on  a given  toss  is  exactly  ^ . 
This  will  depend  on  how  well  the  coin  is  made  and  how  the  toss  is  performed.  This  method 
would  be  of  little  value  in  a system  where  random  sequences  must  be  generated  quickly 
and  often.  It  has  no  practical  value  other  than  to  serve  as  an  example  of  the  idea  of  random 
number  generation.  □ 

1 .68  Example  ( random  sequence  generator)  A noise  diode  may  be  used  to  produce  random 

binary  sequences.  This  is  reasonable  if  one  has  some  way  to  be  convinced  that  the  proba- 
bility that  a 1 will  be  produced  on  any  given  trial  is  Should  this  assumption  be  false,  the 
sequence  generated  would  not  have  been  selected  from  a uniform  distribution  and  so  not 
all  sequences  of  a given  length  would  be  equally  likely.  The  only  way  to  get  some  feeling 
for  the  reliability  of  this  type  of  random  source  is  to  carry  out  statistical  tests  on  its  output. 
These  are  considered  in  Chapter  5.  If  the  diode  is  a source  of  a uniform  distribution  on  the 
set  of  all  binary  sequences  of  a given  length,  it  provides  an  effective  way  to  generate  ran- 
dom sequences.  □ 

Since  most  true  sources  of  random  sequences  ( if  there  is  such  a thing)  come  from  phys- 
ical means,  they  tend  to  be  either  costly  or  slow  in  their  generation.  To  overcome  these 
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problems,  methods  have  been  devised  to  construct  pseudorandom  sequences  in  a determin- 
istic manner  from  a shorter  random  sequence  called  a seed.  The  pseudorandom  sequences 
appear  to  be  generated  by  a truly  random  source  to  anyone  not  knowing  the  method  of  gen- 
eration. Often  the  generation  algorithm  is  known  to  all,  but  the  seed  is  unknown  except  by 
the  entity  generating  the  sequence.  A plethora  of  algorithms  has  been  developed  to  generate 
pseudorandom  bit  sequences  of  various  types.  Many  of  these  are  completely  unsuitable  for 
cryptographic  purposes  and  one  must  be  cautious  of  claims  by  creators  of  such  algorithms 
as  to  the  random  nature  of  the  output. 


1.13  Classes  of  attacks  and  security  models 

Over  the  years,  many  different  types  of  attacks  on  cryptographic  primitives  and  protocols 
have  been  identified.  The  discussion  here  limits  consideration  to  attacks  on  encryption  and 
protocols.  Attacks  on  other  cryptographic  primitives  will  be  given  in  appropriate  chapters. 

In  § 1 . 1 1 the  roles  of  an  active  and  a passive  adversary  were  discussed.  The  attacks  these 
adversaries  can  mount  may  be  classified  as  follows:. 

1.  A passive  attack  is  one  where  the  adversary  only  monitors  the  communication  chan- 
nel. A passive  attacker  only  threatens  confidentiality  of  data. 

2.  An  active  attack  is  one  where  the  adversary  attempts  to  delete,  add,  or  in  some  other 
way  alter  the  transmission  on  the  channel.  An  active  attacker  threatens  data  integrity 
and  authentication  as  well  as  confidentiality. 

A passive  attack  can  be  further  subdivided  into  more  specialized  attacks  for  deducing 
plaintext  from  ciphertext,  as  outlined  in  §1.13.1. 


1.13.1  Attacks  on  encryption  schemes 

The  objective  of  the  following  attacks  is  to  systematically  recover  plaintext  from  ciphertext, 
or  even  more  drastically,  to  deduce  the  decryption  key. 

1.  A ciphertext-only  attack  is  one  where  the  adversary  (or  cryptanalyst)  tries  to  deduce 
the  decryption  key  or  plaintext  by  only  observing  ciphertext.  Any  encryption  scheme 
vulnerable  to  this  type  of  attack  is  considered  to  be  completely  insecure. 

2.  A known-plaintext  attack  is  one  where  the  adversary  has  a quantity  of  plaintext  and 
corresponding  ciphertext.  This  type  of  attack  is  typically  only  marginally  more  dif- 
ficult to  mount. 

3.  A chosen-plaintext  attack  is  one  where  the  adversary  chooses  plaintext  and  is  then 
given  corresponding  ciphertext.  Subsequently,  the  adversary  uses  any  information 
deduced  in  order  to  recover  plaintext  corresponding  to  previously  unseen  ciphertext. 

4.  An  adaptive  chosen-plaintext  attack  is  a chosen-plaintext  attack  wherein  the  choice 
of  plaintext  may  depend  on  the  ciphertext  received  from  previous  requests. 

5.  A chosen-ciphertext  attack  is  one  where  the  adversary  selects  the  ciphertext  and  is 
then  given  the  corresponding  plaintext.  One  way  to  mount  such  an  attack  is  for  the 
adversary  to  gain  access  to  the  equipment  used  for  decryption  (but  not  the  decryption 
key,  which  may  be  securely  embedded  in  the  equipment).  The  objective  is  then  to 
be  able,  without  access  to  such  equipment,  to  deduce  the  plaintext  from  (different) 
ciphertext. 
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6.  An  adaptive  chosen-ciphertext  attack  is  a chosen-ciphertext  attack  where  the  choice 
of  ciphertext  may  depend  on  the  plaintext  received  from  previous  requests. 

Most  of  these  attacks  also  apply  to  digital  signature  schemes  and  message  authentication 
codes.  In  this  case,  the  objective  of  the  attacker  is  to  forge  messages  or  MACs,  as  discussed 
in  Chapters  1 1 and  9,  respectively. 


1.13.2  Attacks  on  protocols 

The  following  is  a partial  list  of  attacks  which  might  be  mounted  on  various  protocols.  Until 
a protocol  is  proven  to  provide  the  service  intended,  the  list  of  possible  attacks  can  never 
be  said  to  be  complete. 

1 . known-key  attack.  In  this  attack  an  adversary  obtains  some  keys  used  previously  and 
then  uses  this  information  to  determine  new  keys. 

2.  replay.  In  this  attack  an  adversary  records  a communication  session  and  replays  the 
entire  session,  or  a portion  thereof,  at  some  later  point  in  time. 

3.  impersonation.  Here  an  adversary  assumes  the  identity  of  one  of  the  legitimate  par- 
ties in  a network. 

4.  dictionary.  This  is  usually  an  attack  against  passwords.  Typically,  a password  is 
stored  in  a computer  file  as  the  image  of  an  unkeyed  hash  function.  When  a user 
logs  on  and  enters  a password,  it  is  hashed  and  the  image  is  compared  to  the  stored 
value.  An  adversary  can  take  a list  of  probable  passwords,  hash  all  entries  in  this  list, 
and  then  compare  this  to  the  list  of  true  encrypted  passwords  with  the  hope  of  finding 
matches. 

5.  forward  search.  This  attack  is  similar  in  spirit  to  the  dictionary  attack  and  is  used  to 
decrypt  messages.  An  example  of  this  method  was  cited  in  Example  1.60. 

6.  interleaving  attack.  This  type  of  attack  usually  involves  some  form  of  impersonation 
in  an  authentication  protocol  (see  §12.9.1). 


1.13.3  Models  for  evaluating  security 

The  security  of  cryptographic  primitives  and  protocols  can  be  evaluated  under  several  dif- 
ferent models.  The  most  practical  security  metrics  are  computational,  provable,  and  ad  hoc 
methodology,  although  the  latter  is  often  dangerous.  The  confidence  level  in  the  amount 
of  security  provided  by  a primitive  or  protocol  based  on  computational  or  ad  hoc  security 
increases  with  time  and  investigation  of  the  scheme.  However,  time  is  not  enough  if  few 
people  have  given  the  method  careful  analysis. 

(i)  Unconditional  security 

The  most  stringent  measure  is  an  information-theoretic  measure  - whether  or  not  a sys- 
tem has  unconditional  security.  An  adversary  is  assumed  to  have  unlimited  computational 
resources,  and  the  question  is  whether  or  not  there  is  enough  information  available  to  de- 
feat the  system.  Unconditional  security  for  encryption  systems  is  called  perfect  secrecy. 
For  perfect  secrecy,  the  uncertainty  in  the  plaintext,  after  observing  the  ciphertext,  must  be 
equal  to  the  a priori  uncertainty  about  the  plaintext  - observation  of  the  ciphertext  provides 
no  information  whatsoever  to  an  adversary. 

A necessary  condition  for  a symmetric-key  encryption  scheme  to  be  unconditionally 
secure  is  that  the  key  be  at  least  as  long  as  the  message.  The  one-time  pad  (§1 .5.4)  is  an  ex- 
ample of  an  unconditionally  secure  encryption  algorithm.  In  general,  encryption  schemes 
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do  not  offer  perfect  secrecy,  and  each  ciphertext  character  observed  decreases  the  theoreti- 
cal uncertainty  in  the  plaintext  and  the  encryption  key.  Public-key  encryption  schemes  can- 
not be  unconditionally  secure  since,  given  a ciphertext  c,  the  plaintext  can  in  principle  be 
recovered  by  encrypting  all  possible  plaintexts  until  c is  obtained. 

(ii)  Complexity-theoretic  security 

An  appropriate  model  of  computation  is  defined  and  adversaries  are  modeled  as  having 
polynomial  computational  power.  (They  mount  attacks  involving  time  and  space  polyno- 
mial in  the  size  of  appropriate  security  parameters.)  A proof  of  security  relative  to  the  model 
is  then  constructed.  An  objective  is  to  design  a cryptographic  method  based  on  the  weakest 
assumptions  possible  anticipating  a powerful  adversary.  Asymptotic  analysis  and  usually 
also  worst-case  analysis  is  used  and  so  care  must  be  exercised  to  determine  when  proofs 
have  practical  significance.  In  contrast,  polynomial  attacks  which  are  feasible  under  the 
model  might,  in  practice,  still  be  computationally  infeasible. 

Security  analysis  of  this  type,  although  not  of  practical  value  in  all  cases,  may  nonethe- 
less pave  the  way  to  a better  overall  understanding  of  security.  Complexity-theoretic  anal- 
ysis is  invaluable  for  formulating  fundamental  principles  and  confirming  intuition.  This  is 
like  many  other  sciences,  whose  practical  techniques  are  discovered  early  in  the  develop- 
ment, well  before  a theoretical  basis  and  understanding  is  attained. 

(iii)  Provable  security 

A cryptographic  method  is  said  to  be  provably  secure  if  the  difficulty  of  defeating  it  can  be 
shown  to  be  essentially  as  difficult  as  solving  a well-known  and  supposedly  difficult  (typ- 
ically number-theoretic)  problem,  such  as  integer  factorization  or  the  computation  of  dis- 
crete logarithms.  Thus,  “provable”  here  means  provable  subject  to  assumptions. 

This  approach  is  considered  by  some  to  be  as  good  a practical  analysis  technique  as 
exists.  Provable  security  may  be  considered  part  of  a special  sub-class  of  the  larger  class  of 
computational  security  considered  next. 

(iv)  Computational  security 

This  measures  the  amount  of  computational  effort  required,  by  the  best  currently-known 
methods,  to  defeat  a system;  it  must  be  assumed  here  that  the  system  has  been  well-studied 
to  determine  which  attacks  are  relevant.  A proposed  technique  is  said  to  be  computation- 
ally secure  if  the  perceived  level  of  computation  required  to  defeat  it  (using  the  best  attack 
known)  exceeds,  by  a comfortable  margin,  the  computational  resources  of  the  hypothesized 
adversary. 

Often  methods  in  this  class  are  related  to  hard  problems  but,  unlike  for  provable  secu- 
rity, no  proof  of  equivalence  is  known.  Most  of  the  best  known  public-key  and  symmetric- 
key  schemes  in  current  use  are  in  this  class.  This  class  is  sometimes  also  called  practical 
security. 

(v)  Ad  hoc  security 

This  approach  consists  of  any  variety  of  convincing  arguments  that  every  successful  attack 
requires  a resource  level  (e.g.,  time  and  space)  greater  than  the  fixed  resources  of  a perceived 
adversary.  Cryptographic  primitives  and  protocols  which  survive  such  analysis  are  said  to 
have  heuristic  security,  with  security  here  typically  in  the  computational  sense. 

Primitives  and  protocols  are  usually  designed  to  counter  standard  attacks  such  as  those 
given  in  § 1 . 1 3.  While  perhaps  the  most  commonly  used  approach  (especially  for  protocols), 
it  is,  in  some  ways,  the  least  satisfying.  Claims  of  security  generally  remain  questionable 
and  unforeseen  attacks  remain  a threat. 


Handbook  of  Applied  Cryptography  by  A.  Menezes,  P.  van  Oorschot  and  S.  Vanstone. 


44 


Ch.  1 Overview  of  Cryptography 


1.13.4  Perspective  for  computational  security 

To  evaluate  the  security  of  cryptographic  schemes,  certain  quantities  are  often  considered. 

1 .69  Definition  The  workfactor  Wd  is  the  minimum  amount  of  work  (measured  in  appropriate 
units  such  as  elementary  operations  or  clock  cycles)  required  to  compute  the  private  key  d 
given  the  public  key  e,  or,  in  the  case  of  symmetric-key  schemes,  to  determine  the  secret 
key  k.  More  specifically,  one  may  consider  the  work  required  under  a ciphertext-only  attack 
given  n ciphertexts,  denoted  Wd(n). 

If  Wd  is  t years,  then  for  sufficiently  large  t the  cryptographic  scheme  is,  for  all  practical 
purposes,  a secure  system.  To  date  no  public-key  system  has  been  found  where  one  can 
prove  a sufficiently  large  lower  bound  on  the  work  factor  IT,/ . The  best  that  is  possible  to 
date  is  to  rely  on  the  following  as  a basis  for  security. 

1.70  Definition  The  historical  work  factor  Wd  is  the  minimum  amount  of  work  required  to 
compute  the  private  key  d from  the  public  key  e using  the  best  known  algorithms  at  a given 
point  in  time. 

The  historical  work  factor  Wd  varies  with  time  as  algorithms  and  technology  improve. 
It  corresponds  to  computational  security,  whereas  Wd  corresponds  to  the  true  security  level, 
although  this  typically  cannot  be  determined. 

How  large  is  large? 

§1.4  described  how  the  designer  of  an  encryption  system  tries  to  create  a scheme  for  which 
the  best  approach  to  breaking  it  is  through  exhaustive  search  of  the  key  space.  The  key 
space  must  then  be  large  enough  to  make  an  exhaustive  search  completely  infeasible.  An 
important  question  then  is  “How  large  is  large?”.  In  order  to  gain  some  perspective  on  the 
magnitude  of  numbers.  Table  1 .2  lists  various  items  along  with  an  associated  magnitude. 


Reference 

Magnitude 

Seconds  in  a year 

« 3 x 107 

Age  of  our  solar  system  (years) 

« 6 x 109 

Seconds  since  creation  of  solar  system 

« 2 x 1017 

Clock  cycles  per  year,  50  MHz  computer 

« 1.6  x 1015 

Binary  strings  of  length  64 

264  « 1.8  x 1019 

Binary  strings  of  length  128 

2128  « 3.4  x 1038 

Binary  strings  of  length  256 

2256  « 1.2  x 1077 

Number  of  75-digit  prime  numbers 

5.2  x 1072 

Electrons  in  the  universe 

w 8.37  x 1077 

Table  1.2:  Reference  numbers  comparing  relative  magnitudes. 


Some  powers  of  10  are  referred  to  by  prefixes.  For  example,  high-speed  modern  com- 
puters are  now  being  rated  in  terms  of  teraflops  where  a teraflop  is  1012  floating  point  op- 
erations per  second.  Table  1 .3  provides  a list  of  commonly  used  prefixes. 
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Prefix 

min 

Magnitude 

exa 

E 

1018 

peta 

P 

1015 

tera 

T 

1012 

giga 

G 

109 

mega 

M 

106 

kilo 

k 

103 

hecto 

h 

102 

dec  a 

da 

10 

Prefix 

Symbol 

Magnitude 

deci 

d 

io-1 

centi 

c 

10~2 

milli 

m 

10~3 

micro 

T 

10~6 

nano 

n 

10~9 

pico 

p 

10-12 

femto 

f 

10-15 

atto 

a 

10-is 

Table  1.3:  Prefixes  used  for  various  powers  of  10. 


1.14  Notes  and  further  references 

§1.1 

Kahn  [648]  gives  a thorough,  comprehensive,  and  non-technical  history  of  cryptography, 
published  in  1967.  Feistel  [387]  provides  an  early  exposition  of  block  cipher  ideas.  The 
original  specification  of  DES  is  the  1977  U.S.  Federal  Information  Processing  Standards 
Publication  46  [396].  Public-key  cryptography  was  introduced  by  Diffie  and  Heilman 
[345].  The  first  concrete  realization  of  a public-key  encryption  scheme  was  the  knapsack 
scheme  by  Merkle  and  Heilman  [857].  The  RSA  public-key  encryption  and  signature  sch- 
eme is  due  to  Rivest,  Shamir,  and  Adleman  [1060],  while  the  ElGamal  public-key  encryp- 
tion and  signature  schemes  are  due  to  ElGamal  [368].  The  two  digital  signature  standards, 
ISO/IEC  9796  [596]  and  the  Digital  Signature  Standard  [406],  are  discussed  extensively  in 
Chapter  1 1 . 

Cryptography  has  used  specialized  areas  of  mathematics  such  as  number  theory  to  realize 
very  practical  mechanisms  such  as  public-key  encryption  and  digital  signatures.  Such  usage 
was  not  conceived  as  possible  a mere  twenty  years  ago.  The  famous  mathematician.  Hardy 
[539],  went  as  far  as  to  boast  about  its  lack  of  utility: 

“ . . . both  Gauss  and  lesser  mathematicians  may  be  justified  in  rejoicing  that 
there  is  one  science  at  any  rate,  and  that  their  own,  whose  very  remoteness  from 
ordinary  human  activities  should  keep  it  gentle  and  clean.” 

§1.2 

This  section  was  inspired  by  the  foreword  to  the  book  Contemporary  Cryptology,  The  Sci- 
ence of  Information  Integrity,  edited  by  Simmons  [1143].  The  handwritten  signature  came 
into  the  British  legal  system  in  the  seventeenth  century  as  a means  to  provide  various  func- 
tions associated  with  information  security.  See  Chapter  9 of  Meyer  and  Matyas  [859]  for 
details. 

This  book  only  considers  cryptography  as  it  applies  to  information  in  digital  form.  Chapter 
9 of  Beker  and  Piper  [84]  provides  an  introduction  to  the  encryption  of  analogue  signals, 
in  particular,  speech.  Although  in  many  cases  physical  means  are  employed  to  facilitate 
privacy,  cryptography  plays  the  major  role.  Physical  means  of  providing  privacy  include 
fiber  optic  communication  links,  spread  spectrum  technology,  TEMPEST  techniques,  and 
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tamper-resistant  hardware.  Steganography  is  that  branch  of  information  privacy  which  at- 
tempts to  obscure  the  existence  of  data  through  such  devices  as  invisible  inks,  secret  com- 
partments, the  use  of  subliminal  channels,  and  the  like.  Kahn  [648]  provides  an  historical 
account  of  various  steganographic  techniques. 

Excellent  introductions  to  cryptography  can  be  found  in  the  articles  by  Diffie  and  Heilman 
[347],  Massey  [786],  and  Rivest  [1054].  A concise  and  elegant  way  to  describe  cryptogra- 
phy was  given  by  Rivest  [1054]:  Cryptography  is  about  communication  in  the  presence  of 
adversaries.  The  taxonomy  of  cryptographic  primitives  (Figure  1.1)  was  derived  from  the 
classification  given  by  Bosselaers,  Govaerts,  and  Vandewalle  [175]. 

The  theory  of  functions  is  fundamental  in  modern  mathematics.  The  term  range  is  often 
used  in  place  of  image  of  a function.  The  latter,  being  more  descriptive,  is  preferred.  An 
alternate  term  for  one-to-one  is  injective ; an  alternate  term  for  onto  is  surjective. 

One-way  functions  were  introduced  by  Diffie  and  Heilman  [345],  A more  extensive  history 
is  given  on  page  377.  Trapdoor  one-way  functions  were  first  postulated  by  Diffie  and  Hell- 
man  [345]  and  independently  by  Merkle  [850]  as  a means  to  obtain  public-key  encryption 
schemes;  several  candidates  are  given  in  Chapter  8. 

The  basic  concepts  of  cryptography  are  treated  quite  differently  by  various  authors,  some 
being  more  technical  than  others.  Brassard  [192]  provides  a concise,  lucid,  and  technically 
accurate  account.  Schneier  [1094]  gives  a less  technical  but  very  accessible  introduction. 
Salomaa  [1089],  Stinson  [1178],  and  Rivest  [1054]  present  more  mathematical  approaches. 
Davies  and  Price  [308]  provide  a very  readable  presentation  suitable  for  the  practitioner. 

The  comparison  of  an  encryption  scheme  to  a resettable  combination  lock  is  from  Diffie 
and  Heilman  [347].  Kerckhoffs'  desiderata  [668]  were  originally  stated  in  French.  The 
translation  stated  here  is  given  in  Kahn  [648],  Shannon  [1121]  also  gives  desiderata  for 
encryption  schemes. 

Symmetric-key  encryption  has  a very  long  history,  as  recorded  by  Kahn  [648].  Most  sys- 
tems invented  prior  to  the  1970s  are  now  of  historical  interest  only.  Chapter  2 of  Denning 
[326]  is  also  a good  source  for  many  of  the  more  well  known  schemes  such  as  the  Caesar 
cipher,  Vigenere  and  Beaufort  ciphers,  rotor  machines  (Enigma  and  Hagelin),  running  key 
ciphers,  and  so  on;  see  also  Davies  and  Price  [308]  and  Konheim  [705].  Beker  and  Piper 
[84]  give  an  indepth  treatment,  including  cryptanalysis  of  several  of  the  classical  systems 
used  in  World  War  II.  Shannon's  paper  [1121]  is  considered  the  seminal  work  on  secure 
communications.  It  is  also  an  excellent  source  for  descriptions  of  various  well-known  his- 
torical symmetric -key  ciphers. 

Simple  substitution  and  transposition  ciphers  are  the  focus  of  §1.5.  Hill  ciphers  [557],  a 
class  of  substitution  ciphers  which  substitute  blocks  using  matrix  methods,  are  covered  in 
Example  7.52.  The  idea  of  confusion  and  diffusion  ( Remark  1.36)  was  introduced  by  Shan- 
non [1121], 

Kahn  [648]  gives  1917  as  the  date  when  Vernam  discovered  the  cipher  which  bears  Ver- 
nam’s  name,  however,  Vernam  did  not  publish  the  result  until  1926  [1222];  see  page  274 
for  further  discussion.  Massey  [786]  states  that  reliable  sources  have  suggested  that  the 
Moscow- Washington  hot-line  (channel  for  very  high  level  communications)  is  no  longer 
secured  with  a one-time  pad,  which  has  been  replaced  by  a symmetric-key  cipher  requiring 
a much  shorter  key.  This  change  would  indicate  that  confidence  and  understanding  in  the 
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ability  to  construct  very  strong  symmetric-key  encryption  schemes  exists.  The  one-time 
pad  seems  to  have  been  used  extensively  by  Russian  agents  operating  in  foreign  countries. 
The  highest  ranking  Russian  agent  ever  captured  in  the  United  States  was  Rudolph  Abel. 
When  apprehended  in  1957  he  had  in  his  possession  a booklet  the  size  of  a postage  stamp 
a|  x I x inches)  containing  a one-time  key;  see  Kahn  [648,  p.664]. 

§1.6 

The  concept  of  a digital  signature  was  introduced  by  Diffie  and  Heilman  [345]  and  indepen- 
dently by  Merkle  [850] . The  first  practical  realization  of  a digital  signature  scheme  appeared 
in  the  paper  by  Rivest,  Shamir,  and  Adleman  [1060].  Rabin  [1022]  (see  also  [1023])  also 
claims  to  have  independently  discovered  RSA  but  did  not  publish  the  result. 

Most  introductory  sources  for  digital  signatures  stress  digital  signatures  with  message  re- 
covery coming  from  a public-key  encryption  system.  Mitchell,  Piper,  and  Wild  [882]  give 
a good  general  treatment  of  the  subject.  Stinson  [1178]  provides  a similar  elementary  but 
general  introduction.  Chapter  1 1 generalizes  the  definition  of  a digital  signature  by  allowing 
randomization.  The  scheme  described  in  §1.8  is  referred  to  as  deterministic.  Many  other 
types  of  digital  signatures  with  specific  properties  have  been  created,  such  as  blind  signa- 
tures, undeniable  signatures,  and  failstop  signatures  (see  Chapter  11). 

§1.7 

Much  effort  has  been  devoted  to  developing  a theory  of  authentication.  At  the  forefront  of 
this  is  Simmons  [1144],  whose  contributions  are  nicely  summarized  by  Massey  [786],  For 
a more  concrete  example  of  the  necessity  for  authentication  without  secrecy,  see  the  article 
by  Simmons  [1146]. 

§1.8 

1976  marked  a major  turning  point  in  the  history  of  cryptography.  In  several  papers  that 
year,  Diffie  and  Heilman  introduced  the  idea  of  public-key  cryptography  and  gave  concrete 
examples  of  how  such  a scheme  might  be  realized.  The  first  paper  on  public-key  cryptog- 
raphy was  “Multiuser  cryptographic  techniques”  by  Diffie  and  Heilman  [344],  presented 
at  the  National  Computer  Conference  in  June  of  1976.  Although  the  authors  were  not  sat- 
isfied with  the  examples  they  cited,  the  concept  was  made  clear.  In  their  landmark  paper, 
Diffie  and  Heilman  [345]  provided  a more  comprehensive  account  of  public-key  cryptog- 
raphy and  described  the  first  viable  method  to  realize  this  elegant  concept.  Another  good 
source  for  the  early  history  and  development  of  the  subject  is  Diffie  [343].  Nechvatal  [922] 
also  provides  a broad  survey  of  public -key  cryptography. 

Merkle  [849,  850]  independently  discovered  public-key  cryptography,  illustrating  how  this 
concept  could  be  realized  by  giving  an  elegant  and  ingenious  example  now  commonly  re- 
ferred to  as  the  Merkle  puzzle  scheme.  Simmons  [1144,  p.412]  notes  the  first  reported  ap- 
plication of  public-key  cryptography  was  fielded  by  Sandia  National  Laboratories  (U.S .)  in 
1978. 

§1.9 

Much  of  the  early  work  on  cryptographic  hash  functions  was  done  by  Merkle  [850].  The 
most  comprehensive  current  treatment  of  the  subject  is  by  Preneel  [1004], 

§1.10 

A large  number  of  successful  cryptanalytic  attacks  on  systems  claiming  security  are  due  to 
protocol  failure.  An  overview  of  this  area  is  given  by  Moore  [899],  including  classifications 
of  protocol  failures  and  design  principles. 
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§1.11 

One  approach  to  distributing  public -keys  is  the  so-called  Merkle  channel  (see  Simmons 
[1144,  p.387]).  Merkle  proposed  that  public  keys  be  distributed  over  so  many  independent 
public  channels  (newspaper,  radio,  television,  etc.)  that  it  would  be  improbable  for  an  ad- 
versary to  compromise  all  of  them. 

In  1979  Kohnfelder  [702]  suggested  the  idea  of  using  public-key  certificates  to  facilitate 
the  distribution  of  public  keys  over  unsecured  channels,  such  that  their  authenticity  can  be 
verified.  Essentially  the  same  idea,  but  by  on-line  requests,  was  proposed  by  Needham  and 
Schroeder  (ses  Wilkes  [1244]). 

A provably  secure  key  agreement  protocol  has  been  proposed  whose  security  is  based  on  the 
Heisenberg  uncertainty  principle  of  quantum  physics.  The  security  of  so-called  quantum 
cryptography  does  not  rely  upon  any  complexity-theoretic  assumptions.  For  further  details 
on  quantum  cryptography,  consult  Chapter  6 of  Brassard  [192],  and  Bennett,  Brassard,  and 
Ekert  [115], 

§1.12 

For  an  introduction  and  detailed  treatment  of  many  pseudorandom  sequence  generators,  see 
Knuth  [692],  Knuth  cites  an  example  of  a complex  scheme  to  generate  random  numbers 
which  on  closer  analysis  is  shown  to  produce  numbers  which  are  far  from  random,  and  con- 
cludes: ...random  numbers  should  not  be  generated  with  a method  chosen  at  random. 

§1.13 

The  seminal  work  of  Shannon  [1121]  on  secure  communications,  published  in  1949,  re- 
mains as  one  of  the  best  introductions  to  both  practice  and  theory,  clearly  presenting  many 
of  the  fundamental  ideas  including  redundancy,  entropy,  and  unicity  distance.  Various  mod- 
els under  which  security  may  be  examined  are  considered  by  Rueppel  [1081],  Simmons 
[1144],  and  Preneel  [1003],  among  others;  see  also  Goldwasser  [476]. 
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This  chapter  is  a collection  of  basic  material  on  probability  theory,  information  the- 
ory, complexity  theory,  number  theory,  abstract  algebra,  and  finite  fields  that  will  be  used 
throughout  this  book.  Further  background  and  proofs  of  the  facts  presented  here  can  be 
found  in  the  references  given  in  §2.7.  The  following  standard  notation  will  be  used  through- 
out: 

1.  Z denotes  the  set  of  integers ; that  is,  the  set  {. . . , —2,  — 1, 0, 1,  2, . . . }. 

2.  Q denotes  the  set  of  rational  numbers',  that  is,  the  set  {f  | a,  b G Z,  b ^ 0}. 

3.  M denotes  the  set  of  real  numbers. 

4.  7 r is  the  mathematical  constant;  7r  ps  3.14159. 

5.  e is  the  base  of  the  natural  logarithm;  e « 2.71828. 

6.  [a,  b]  denotes  the  integers  x satisfying  a < x < b. 

7.  \_x\  is  the  largest  integer  less  than  or  equal  to  x.  For  example,  |_5.2j  = 5 and 
L-5.2J  = -6. 

8.  far]  is  the  smallest  integer  greater  than  or  equal  to  x.  For  example,  [5.2]  = 6 and 
[-5.2]  = -5. 

9.  If  A is  a finite  set,  then  |^4|  denotes  the  number  of  elements  in  A,  called  the  cardinality 
of  A. 

10.  a G A means  that  element  a is  a member  of  the  set  A. 

11.  A C B means  that  A is  a subset  of  B. 

12.  A C B means  that  A is  a proper  subset  of  B\  that  is  A C B and  A B. 

13.  The  intersection  of  sets  A and  B is  the  set  A fl  B = {x  \ x £ A and  x € B}. 

14.  The  union  of  sets  A and  B is  the  set  A U B = {x  | x £ A or  x e SI- 

15.  The  difference  of  sets  A and  B is  the  set  A — B = {x  | x G A and  x ?B}. 

16.  The  Cartesian  product  of  sets  A and  B is  the  set  A x B = {(a,  b)  \ a £ A and  b e 
B}.  For  example,  {«!,  o2 } x {61,62,63}  = {(ai,  61),  (a1;  62),  (a1;  63),  (a2,  61), 
(02,62),  (o2,63)}. 
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17.  A function  or  mapping  f : A — > B is  a rule  which  assigns  to  each  element  a in  A 
precisely  one  element  b in  B.  If  a E A is  mapped  to  b E B then  b is  called  the  image 
of  a,  a is  called  a preimage  of  b , and  this  is  written  /(a)  = b.  The  set  A is  called  the 
domain  of  /,  and  the  set  B is  called  the  codomain  of  /. 

18.  A function  / : A — > B is  1 — 1 ( one-to-one ) or  injective  if  each  element  in  B is  the 
image  of  at  most  one  element  in  A.  Hence  f{a\)  = /(a©  implies  a 1 = 02. 

19.  A function  / : A — > B is  onto  or  surjective  if  each  b E B is  the  image  of  at  least 
one  a E A. 

20.  A function  / : A — > B is  a bijection  if  it  is  both  one-to-one  and  onto.  If  / is  a 
bijection  between  finite  sets  A and  B , then  |A|  = \B\.  If  / is  a bijection  between  a 
set  A and  itself,  then  / is  called  a permutation  on  A. 

21 . In  x is  the  natural  logarithm  of  x;  that  is,  the  logarithm  of  x to  the  base  e. 

22.  lg  x is  the  logarithm  of  x to  the  base  2. 

23.  exp(x)  is  the  exponential  function  ex . 

24.  12 i denotes  the  sum  ai  + a2  + ■ ■ ■ + an. 

25.  nil  °*  denotes  the  product  01-02 an. 

26.  For  a positive  integer  n,  the  factorial  function  is  n\  = n(n  — l)(n  — 2)  ■ ■ ■ 1.  By 
convention,  0!  = 1. 


2.1  Probability  theory 


2.1.1  Basic  definitions 

2.1  Definition  An  experiment  is  a procedure  that  yields  one  of  a given  set  of  outcomes.  The 
individual  possible  outcomes  are  called  simple  events.  The  set  of  all  possible  outcomes  is 
called  the  sample  space. 

This  chapter  only  considers  discrete  sample  spaces;  that  is,  sample  spaces  with  only 
finitely  many  possible  outcomes.  Let  the  simple  events  of  a sample  space  S be  labeled 

^1 5 ^2  ; • • • •>  Sn* 

2.2  Definition  A probability  distribution  P on  S is  a sequence  of  numbers  pi  .p->,  ■ ■ ■ ,p„  that 
are  all  non-negative  and  sum  to  1 . The  number  pi  is  interpreted  as  the  probability  of  s,  being 
the  outcome  of  the  experiment. 

2.3  Definition  An  event  E is  a subset  of  the  sample  space  S.  The  probability  that  event  E 
occurs,  denoted  P(E),  is  the  sum  of  the  probabilities  p,  of  all  simple  events  .s,  which  belong 
to  E.  If  Si  E S,  P({sj})  is  simply  denoted  by  P(si). 

2.4  Definition  If  E is  an  event,  the  complementary  event  is  the  set  of  simple  events  not  be- 
longing to  E,  denoted  E. 

2.5  Fact  Let  E C S be  an  event. 

(i)  0 < P{E)  < 1.  Furthermore,  P(S ) = 1 and  P(0)  = 0.  (0  is  the  empty  set.) 

(ii)  P(E)  = 1 - P(E). 
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(iii)  If  the  outcomes  in  S are  equally  likely,  then  P(S)  = 

2.6  Definition  Two  events  Ei  and  E->  are  called  mutually  exclusive  if  P(Si  n E> ) =0.  That 
is,  the  occurrence  of  one  of  the  two  events  excludes  the  possibility  that  the  other  occurs. 

2.7  Fact  Let  Ei  and  E->  be  two  events. 

(i)  If  Si  C E-2,  thenP(Si)  < P{E2). 

(ii)  P(E±  U E2)  + P(E±  fl  S2)  = P(Si)  + P(E2).  Hence,  if  E\  and  E2  are  mutually 
exclusive,  then  P(Si  U E2)  = P(Si)  + P(E2). 


2.1.2  Conditional  probability 


2.8  Definition  Let  El  and  E2  be  two  events  with  P{E2)  > 0.  The  conditional  probability  of 
Ei  given  E2,  denoted  P(Ei\E2),  is 


P(Ei\E2) 


p(Ei  n e2  ) 
P{E2) 


P(Ei  E> ) measures  the  probability  of  event  E i occurring,  given  that  E2  has  occurred. 


2.9  Definition  Events  Si  and  S2  are  said  to  be  independent  if  P(Si  fl  S2)  = P{Ei)P{E2). 

Observe  that  if  Si  andS2  are  independent,  then  P(Si|S2)  = P(Si)  andP(S2|Si)  = 
P(E2).  That  is,  the  occurrence  of  one  event  does  not  influence  the  likelihood  of  occurrence 
of  the  other. 


2.10  Fact  (Bayes’  theorem ) If  Si  and  E2  are  events  with  P{E2)  > 0,  then 


P{Ei\E2) 


P(Si)P(S2|Si) 

P(S2) 


2.1.3  Random  variables 

Let  iS  be  a sample  space  with  probability  distribution  P. 

2.1 1 Definition  A random  variable  X is  a function  from  the  sample  space  S to  the  set  of  real 
numbers;  to  each  simple  event  s*  £ S,  X assigns  a real  number  X(s,). 

Since  S is  assumed  to  be  finite,  X can  only  take  on  a finite  number  of  values. 

2.12  Definition  Let  X be  a random  variable  on  S.  The  expected  value  or  mean  of  X is  E(X)  = 

E ,teSX(si)P(si). 

2.13  Fact  Let  X be  a random  variable  on  S.  Then  E(X)  = Ex<eIR  x ' P{X  = x). 

2.14  Fact  If  Xi , X2 , . . . , Xm  are  random  variables  on  S,  and  ai,  a2, .. . , am  are  real  numbers, 
then  S(E™  1 OiXt)  = YZi  aiE{Xi). 

2.15  Definition  The  variance  of  a random  variable  X of  mean  p is  a non-negative  number  de- 
fined by 

Var(AT)  = E((X  - p)2). 

The  standard  deviation  of  X is  the  non-negative  square  root  of  Var(X). 
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If  a random  variable  has  small  variance  then  large  deviations  from  the  mean  are  un- 
likely to  be  observed.  This  statement  is  made  more  precise  below. 

2.16  Fact  ( Chebyshev’s  inequality)  Let  X be  a random  variable  with  mean  p = E(X)  and 
variance  o2  = Var(X).  Then  for  any  t > 0, 

P(\X  - p\>t)  <^. 


2.1.4  Binomial  distribution 

2.17  Definition  Let  n and  k be  non-negative  integers.  The  binomial  coefficient  (Tj  is  the  num- 
ber of  different  ways  of  choosing  k distinct  objects  from  a set  of  n distinct  objects,  where 
the  order  of  choice  is  not  important. 

2.18  Fact  ( properties  of  binomial  coefficients ) Let  n and  k be  non-negative  integers. 

® (fc)  = WTTTJi  ■ 

<">  G)  = („:»)• 

wo  (ED  = © + (ED' 

2.19  Fact  (binomial  theorem)  For  any  real  numbers  a,  b,  and  non-negative  integer  «,  (a+b)n  = 

EEo 

2.20  Definition  A Bernoulli  trial  is  an  experiment  with  exactly  two  possible  outcomes,  called 
success  and  failure. 


2.21  Fact  Suppose  that  the  probability  of  success  on  a particular  Bernoulli  trial  is  p.  Then  the 
probability  of  exactly  k successes  in  a sequence  of  n such  independent  trials  is 


pk(  1 — p)n  k,  for  each  0 < k < n. 


(2.1) 


2.22  Definition  The  probability  distribution  (2.1)  is  called  the  binomial  distribution. 


2.23  Fact  The  expected  number  of  successes  in  a sequence  of  n independent  Bernoulli  trials, 
with  probability  p of  success  in  each  trial,  is  up.  The  variance  of  the  number  of  successes 
is  np{  1 — p). 

2.24  Fact  ( law  of  large  numbers)  Let  X be  the  random  variable  denoting  the  fraction  of  suc- 
cesses in  n independent  Bernoulli  trials,  with  probability  p of  success  in  each  trial.  Then 
for  any  e > 0, 

P(\X  — p\  > e)  — » 0,  as  n — f oo. 

In  other  words,  as  n gets  larger,  the  proportion  of  successes  should  be  close  to  p,  the 
probability  of  success  in  each  trial. 
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2.1.5  Birthday  problems 

2.25  Definition 

(i)  For  positive  integers  to,  n with  to  > n,  the  number  mSn^  is  defined  as  follows: 

m^1'1  = to(to  — 1)(to  — 2)  • • • (to  — n + 1). 

(ii)  Let  to,  n be  non-negative  integers  with  to  > n.  The  Stirling  number  of  the  second 
kind , denoted  {m|,  is 

k 7 fc=0  v 7 

with  the  exception  that  {[]}  = 1. 

The  symbol  j } counts  the  number  of  ways  of  partitioning  a set  of  to  objects  into  n 
non-empty  subsets. 


2.26  Fact  ( classical  occupancy  problem)  An  urn  has  to  balls  numbered  1 to  to.  Suppose  that  n 
balls  are  drawn  from  the  urn  one  at  a time,  with  replacement,  and  their  numbers  are  listed. 
The  probability  that  exactly  t different  balls  have  been  drawn  is 


Pi  (to,  n,  t ) 


1 < t < n. 


The  birthday  problem  is  a special  case  of  the  classical  occupancy  problem. 


2.27  Fact  ( birthday  problem)  An  urn  has  to  balls  numbered  1 to  to.  Suppose  that  n balls  are 
drawn  from  the  urn  one  at  a time,  with  replacement,  and  their  numbers  are  listed. 

(i)  The  probability  of  at  least  one  coincidence  (i.e.,  a ball  drawn  at  least  twice)  is 


P2  (to,  n)  = 1 — Pi  (to,  n,  n)  = 1 — 

If  n = 0(  fn)  (see  Definition  2.55)  and  to 

n(n  — 1) 


TO 


(«) 


1 < n < to. 


P2(m,n) 


1 — exp 


2 TO 


+ 0 


m" 

00,  then 
1 

/TO  , 


(2.2) 


1 — exp 


(ii)  As  to  — :>  00,  the  expected  number  of  draws  before  a coincidence  is 


n 

2 TO 

irm 

2 


The  following  explains  why  probability  distribution  (2.2)  is  referred  to  as  the  birthday 
surprise  or  birthday  paradox.  The  probability  that  at  least  2 people  in  a room  of  23  people 
have  the  same  birthday  is  P2( 365,  23)  « 0.507,  which  is  surprisingly  large.  The  quantity 
P2(365,  n ) also  increases  rapidly  as  n increases;  for  example,  P2(365, 30)  ~ 0.706. 

A different  kind  of  problem  is  considered  in  Facts  2.28,  2.29,  and  2.30  below.  Suppose 
that  there  are  two  urns,  one  containing  to  white  balls  numbered  1 to  to,  and  the  other  con- 
taining to  red  balls  numbered  1 to  to.  First,  ri\  balls  are  selected  from  the  first  urn  and  their 
numbers  listed.  Then  n2  balls  are  selected  from  the  second  urn  and  their  numbers  listed. 
Finally,  the  number  of  coincidences  between  the  two  lists  is  counted. 


2.28  Fact  ( model  A)  If  the  balls  from  both  urns  are  drawn  one  at  a time,  with  replacement,  then 
the  probability  of  at  least  one  coincidence  is 


P3(m,n1,n2)  = 1 


1 

jjini  +77-2 


1 1 ,£2 


?(*l+*2) 
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where  the  summation  is  over  all  0 < t\  < n\,  0 < t2  < n^.  If  n = ni  = n2,  n = 0(  rm) 
and  to  — :>  oo,  then 


P3(m,ni,n2) 


1 


2.29  Fact  ( model  B)  If  the  balls  from  both  urns  are  drawn  without  replacement,  then  the  prob- 
ability of  at  least  one  coincidence  is 

m(ni+7i2) 

p4(m,n1,n2)  = l-  m(ni)m(na). 

If  ni  = 0(  'rn),  n,2  = 0(  'rn ),  and  m — > oo,  then 


P4(to,  n i,  n 2)  — > 1 — exp 


n1n2 


m 


1 + 


ni  + n2  — 1 
2 m 


+ O ( — 

TO 


2.30  Fact  ( model  O If  the  ni  white  balls  are  drawn  one  at  a time,  with  replacement,  and  the  n2 
red  balls  are  drawn  without  replacement,  then  the  probability  of  at  least  one  coincidence  is 


P5(TO,n1,n2)  = 1 — (l  — — ] . 

V to  / 

If  ni  = 0(  'to),  n2  = 0(  'to ),  and  to  — 00,  then 


P5(m,n1,n2) 


1 — exp 


nin2 


m 


1 + 0 


1 — exp 


nin 2\ 

TO  / 


2.1.6  Random  mappings 

2.31  Definition  Let  Tn  denote  the  collection  of  all  functions  (mappings)  from  a finite  domain 
of  size  n to  a finite  codomain  of  size  n. 

Models  where  random  elements  of  Tn  are  considered  are  called  random  mappings 
models.  In  this  section  the  only  random  mappings  model  considered  is  where  every  function 
from  Tn  is  equally  likely  to  be  chosen;  such  models  arise  frequently  in  cryptography  and 
algorithmic  number  theory.  Note  that  \lFn\  = n",  whence  the  probability  that  a particular 
function  from  Tn  is  chosen  is  1 /nn. 

2.32  Definition  Let  / be  a function  in  Tn  with  domain  and  codomain  equal  to  {1, 2, . . . , n}. 
The  functional  graph  of  / is  a directed  graph  whose  points  (or  vertices)  are  the  elements 
{1,  2, . . . , n}  and  whose  edges  are  the  ordered  pairs  (x,  /(x))  for  all  x £ {1,2,...  ,n}. 

2.33  Example  (functional  graph.)  Consider  the  function/  : {1, 2, . . . , 13}  — ^ {1, 2, . . . , 13} 

defined  by  /( 1)  = 4,  /( 2)  = 11,  /( 3)  = 1,  /( 4)  = 6,  /( 5)  = 3,  /( 6)  = 9,  /( 7)  = 3, 
/ (8)  = 11,  / (9)  = 1,  /(10)  = 2,  f{ll)  = 10,  / (12)  = 4,  /( 13)  = 7.  The  functional 
graph  of  / is  shown  in  Figure  2.1.  □ 

As  Figure  2.1  illustrates,  a functional  graph  may  have  several  components  (maximal 
connected  subgraphs),  each  component  consisting  of  a directed  cycle  and  some  directed 
trees  attached  to  the  cycle. 

2.34  Fact  As  n tends  to  infinity,  the  following  statements  regarding  the  functional  digraph  of  a 
random  function  / from  T,,  are  true: 

(i)  The  expected  number  of  components  is  | In  n. 
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Figure  2.1 : Afunctional  graph  ( see  Example  2.33). 


(ii)  The  expected  number  of  points  which  are  on  the  cycles  is  y/i cnj2. 

(iii)  The  expected  number  of  terminal  points  (points  which  have  no  preimages)  is  n/e. 

(iv)  The  expected  number  of  k-th  iterate  image  points  ( x is  a &-th  iterate  image  point  if 
x = /(/(•  ■ ■ f(y)  • • • ))  f°r  some  y)  is  (1  — Tk)n,  where  the  satisfy  the  recurrence 

' V 

k times 

tq  = 0,  Tfc_ |_i  = e~1+Tk  for  k > 0. 


2.35  Definition  Let  / be  a random  function  from  {1,2,...  , n}  to  {1, 2, . . , , n}  and  let  u £ 
{1,2,...  , n}.  Consider  the  sequence  of  points  uq,  u\,  U2, . . . defined  by  uq  = u,  u.t  = 
f(ut  i ) for  i > 1 . In  terms  of  the  functional  graph  of  /,  this  sequence  describes  a path  that 
connects  to  a cycle. 

(i)  The  number  of  edges  in  the  path  is  called  the  tail  length  of  u,  denoted  Aiu). 

(ii)  The  number  of  edges  in  the  cycle  is  called  the  cycle  length  of  u,  denoted  /i(u). 

(iii)  The  rho-length  of  u is  the  quantity  p(u)  = A (u)  + p(u). 

(iv)  The  tree  size  of  u is  the  number  of  edges  in  the  maximal  tree  rooted  on  a cycle  in  the 
component  that  contains  u. 

(v)  The  component  size  of  u is  the  number  of  edges  in  the  component  that  contains  u. 

(vi)  The  predecessors  size  of  u is  the  number  of  iterated  preimages  of  u. 

2.36  Example  The  functional  graph  in  Figure  2.1  has  2 components  and  4 terminal  points.  The 

point  u = 3 has  parameters  A (u)  = 1,  p(u)  = 4,  p(u)  = 5.  The  tree,  component,  and 
predecessors  sizes  of  u = 3 are  4,  9,  and  3,  respectively.  □ 

2.37  Fact  As  n tends  to  infinity,  the  following  are  the  expectations  of  some  parameters  associ- 

ated with  a random  point  in  {1,2,...  , n}  and  a random  function  from  T,,\  (i)  tail  length: 
^ Ttn/S  (ii)  cycle  length:  ^/7to/8  (iii)  rho-length:  Ttn/2  (iv)  tree  size:  n/3  (v)  compo- 
nent size:  2n/3  (vi)  predecessors  size:  ivn/S . 

2.38  Fact  As  n tends  to  infinity,  the  expectations  of  the  maximum  tail,  cycle,  and  rho  lengths  in 
a random  function  from  Tn  are  c\  'n,  C2  /n,  and  C3  'n,  respectively,  where  ci  « 0.78248, 
c2  ~ 1.73746,  and  c3  ~ 2.4149. 

Facts  2.37  and  2.38  indicate  that  in  the  functional  graph  of  a random  function,  most 
points  are  grouped  together  in  one  giant  component,  and  there  is  a small  number  of  large 
trees.  Also,  almost  unavoidably,  a cycle  of  length  about  'n  arises  after  following  a path  of 
length  'n  edges. 
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2.2  Information  theory 


2.2.1  Entropy 

Let  X be  a random  variable  which  takes  on  a finite  set  of  values  xi,x%,. ..  ,xn,  with  prob- 
ability P(X  = Xi)  = pi,  where  0 < p.-,  < 1 for  each  i,  1 < i < n,  and  where  Pi  = 1- 
Also,  let  Y and  Z be  random  variables  which  take  on  finite  sets  of  values. 

The  entropy  of  X is  a mathematical  measure  of  the  amount  of  information  provided  by 
an  observation  of  X.  Equivalently,  it  is  the  uncertainly  about  the  outcome  before  an  obser- 
vation of  X.  Entropy  is  also  useful  for  approximating  the  average  number  of  bits  required 
to  encode  the  elements  of  X. 

2.39  Definition  The  entropy  or  uncertainty  of  X is  defined  to  be  H (X ) = — Y17=i  Pi  lg Pi  — 
Yh= i Pi  lg  (^7)  where,  by  convention,  pt  ■ lgp,  = pt  ■ lg  = 0 if  pi  = 0. 

2.40  Fact  (properties  of  entropy)  Let  X be  a random  variable  which  takes  on  n values. 

(i)  0 < H(X)  < lg  n. 

(ii)  H (X)  = 0 if  and  only  if  pi  = 1 for  some  i,  and  pj  = 0 for  all  j i (that  is,  there  is 
no  uncertainty  of  the  outcome). 

(iii)  H (X)  = lg  n if  and  only  if  pi  = l/n  for  each  i,  1 < i < n (that  is,  all  outcomes  are 
equally  likely). 

2.41  Definition  The  joint  entropy  of  X and  Y is  defined  to  be 

H(X,  Y)  = -J2  P(X  = x,Y  — y)  lg (P(X  = x,  Y = y)), 

*,y 

where  the  summation  indices  x and  y range  over  all  values  of  X and  Y,  respectively.  The 
definition  can  be  extended  to  any  number  of  random  variables. 

2.42  Fact  If  X and  Y are  random  variables,  then  H (X,  Y)  < H(X)  + H(Y),  with  equality  if 
and  only  if  X and  Y are  independent. 

2.43  Definition  If  X,  Y are  random  variables,  the  conditional  entropy  of  X given  Y = y is 

H(X\Y  = y)  = -J2  P(X  = x\Y  = y ) lg (P(X  = x\Y  = y )), 

X 

where  the  summation  index  x ranges  over  all  values  of  X.  The  conditional  entropy  of  X 
given  Y , also  called  the  equivocation  of  Y about  X,  is 

H(X\Y)  = Y/P(Y  = V)H(X\Y  = y), 
y 

where  the  summation  index  y ranges  over  all  values  of  Y . 

2.44  Fact  (properties  of  conditional  entropy ) Let  X and  Y be  random  variables. 

(i)  The  quantity  H(X\'Y)  measures  the  amount  of  uncertainty  remaining  about  X after 
Y has  been  observed. 
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(ii)  H(X\Y)  > 0 and  H(X\X)  = 0. 

(iii)  H(X,  Y ) = H(X)  + H(Y\X)  = H(Y)  + H{X\Y). 

(iv)  H(X\Y)  < H (X),  with  equality  if  and  only  if  X and  Y are  independent. 


2.2.2  Mutual  information 

2.45  Definition  The  mutual  information  or  transinformation  of  random  variables  X and  Y is 
/(X;  X ) = H (X)  — H (X|X).  Similarly,  the  transinformation  of  X and  the  pair  Y,  Z is 
defined  to  be  /(X;  X,  Z)  = H{X)  - H{X\Y , Z). 

2.46  Fact  ( properties  of  mutual  transinformation) 

(i)  The  quantity  /(X;  X)  can  be  thought  of  as  the  amount  of  information  that  Y reveals 
about  X.  Similarly,  the  quantity  /(X;  Y,  Z)  can  be  thought  of  as  the  amount  of  in- 
formation that  Y and  Z together  reveal  about  X. 

(ii)  J(X;X)  >0. 

(iii)  i (X;  X)  = 0 if  and  only  if  X and  Y are  independent  (that  is,  Y contributes  no  in- 
formation about  X). 

(iv)  I{X;  X)  = J(X;  X). 

2.47  Definition  The  conditional  transinformation  of  the  pair  X,  Y given  Z is  defined  to  be 
Iz(X-Y)=H(X\Z)-H(X\Y,Z). 

2.48  Fact  ( properties  of  conditional  transinformation) 

(i)  The  quantity  Iz(X:  Y)  can  be  interpreted  as  the  amount  of  information  that  Y pro- 
vides about  X,  given  that  Z has  already  been  observed. 

(ii)  J(X;  X,  Z)  = /(X;  X)  + IY  (X;  Z). 

(iii)  Iz(X;Y)=Iz(Y;X). 


2.3  Complexity  theory 


2.3.1  Basic  definitions 

The  main  goal  of  complexity  theory  is  to  provide  mechanisms  for  classifying  computational 
problems  according  to  the  resources  needed  to  solve  them.  The  classification  should  not 
depend  on  a particular  computational  model,  but  rather  should  measure  the  intrinsic  dif- 
ficulty of  the  problem.  The  resources  measured  may  include  time,  storage  space,  random 
bits,  number  of  processors,  etc.,  but  typically  the  main  focus  is  time,  and  sometimes  space. 

2.49  Definition  An  algorithm  is  a well-defined  computational  procedure  that  takes  a variable 
input  and  halts  with  an  output. 
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Of  course,  the  term  “well-defined  computational  procedure”  is  not  mathematically  pre- 
cise. It  can  be  made  so  by  using  formal  computational  models  such  as  Turing  machines, 
random-access  machines,  or  boolean  circuits.  Rather  than  get  involved  with  the  technical 
intricacies  of  these  models,  it  is  simpler  to  think  of  an  algorithm  as  a computer  program 
written  in  some  specific  programming  language  for  a specific  computer  that  takes  a vari- 
able input  and  halts  with  an  output. 

It  is  usually  of  interest  to  find  the  most  efficient  (i.e.,  fastest)  algorithm  for  solving  a 
given  computational  problem.  The  time  that  an  algorithm  takes  to  halt  depends  on  the  “size” 
of  the  problem  instance.  Also,  the  unit  of  time  used  should  be  made  precise,  especially  when 
comparing  the  performance  of  two  algorithms. 

2.50  Definition  The  size  of  the  input  is  the  total  number  of  bits  needed  to  represent  the  input 
in  ordinary  binary  notation  using  an  appropriate  encoding  scheme.  Occasionally,  the  size 
of  the  input  will  be  the  number  of  items  in  the  input. 

2.51  Example  ( sizes  of  some  objects ) 

(i)  The  number  of  bits  in  the  binary  representation  of  a positive  integer  n is  1 + [lg  n\ 
bits.  For  simplicity,  the  size  of  n will  be  approximated  by  lg  n. 

(ii)  If  / is  a polynomial  of  degree  at  most  A;,  each  coefficient  being  a non-negative  integer 
at  most  n,  then  the  size  of  / is  {k  + 1)  lg  n bits. 

(iii)  If  A is  a matrix  with  r rows,  s columns,  and  with  non-negative  integer  entries  each 

at  most  n,  then  the  size  of  A is  rs  lg  n bits.  □ 

2.52  Definition  The  running  time  of  an  algorithm  on  a particular  input  is  the  number  of  prim- 
itive operations  or  “steps”  executed. 

Often  a step  is  taken  to  mean  a bit  operation.  For  some  algorithms  it  will  be  more  con- 
venient to  take  step  to  mean  something  else  such  as  a comparison,  a machine  instruction,  a 
machine  clock  cycle,  a modular  multiplication,  etc. 

2.53  Definition  The  worst-case  running  time  of  an  algorithm  is  an  upper  bound  on  the  running 
time  for  any  input,  expressed  as  a function  of  the  input  size. 

2.54  Definition  The  average-case  running  time  of  an  algorithm  is  the  average  running  time 
over  all  inputs  of  a fixed  size,  expressed  as  a function  of  the  input  size. 


2.3.2  Asymptotic  notation 

It  is  often  difficult  to  derive  the  exact  running  time  of  an  algorithm.  In  such  situations  one 
is  forced  to  settle  for  approximations  of  the  running  time,  and  usually  may  only  derive  the 
asymptotic  running  time.  That  is,  one  studies  how  the  running  time  of  the  algorithm  in- 
creases as  the  size  of  the  input  increases  without  bound. 

In  what  follows,  the  only  functions  considered  are  those  which  are  defined  on  the  posi- 
tive integers  and  take  on  real  values  that  are  always  positive  from  some  point  onwards.  Let 
/ and  g be  two  such  functions. 

2.55  Definition  (order  notation) 

(i)  ( asymptotic  upper  bound ) f(n)  = 0(g(n))  if  there  exists  a positive  constant  c and  a 
positive  integer  n o such  that  0 < f(n)  < cg(n)  for  all  n > n$. 
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(ii)  ( asymptotic  lower  bound)  f(n ) = £l(g(n))  if  there  exists  a positive  constant  c and  a 
positive  integer  no  such  that  0 < cg(n)  < f(n ) for  all  n > uq. 

(iii)  ( asymptotic  tight  bound)  f(n ) = Q(g(n))  if  there  exist  positive  constants  ci  and  c^, 
and  a positive  integer  no  such  that  cig{n)  < f(n)  < C2g(n)  for  all  n > uq. 

(iv)  (o-notation)  f(n)  = o{g(n))  if  for  any  positive  constant  c > 0 there  exists  a constant 
no  > 0 such  that  0 < f(n)  < cg(n ) for  all  n > ng. 

Intuitively,  f(n ) = 0(g(n))  means  that  / grows  no  faster  asymptotically  than  g(n)  to 
within  a constant  multiple,  while  f(n)  = f l(g(n))  means  that  f(n ) grows  at  least  as  fast 
asymptotically  as  g(n)  to  within  a constant  multiple.  f(n)  = o{g(n))  means  that  g(n)  is  an 
upper  bound  for  f(n)  that  is  not  asymptotically  tight,  or  in  other  words,  the  function  f(n ) 
becomes  insignificant  relative  to  g(n)  as  n gets  larger.  The  expression  o(l)  is  often  used  to 
signify  a function  f(n)  whose  limit  as  n approaches  oo  is  0. 


2.56  Fact  ( properties  of  order  notation)  For  any  functions  f(n),  g(n),  h(n),  and  l(n),  the  fol- 
lowing are  true. 

(i)  f(n ) = 0(g(n))  if  and  only  if  g(n)  = Cl(f(n)). 

(ii)  f(n ) = 0©(n))  if  and  only  if  f (n ) = 0{g{n))  and  /(n)  = Ct(g{n)). 

(iii)  If  /(n)  = 0(h{n ))  and  g{n)  = 0{h{n)),  then  (/  + g)(n)  = 0(h(n)). 

(iv)  If  f(n)  = 0{h(n))  and  g{n)  = 0(l(n)),  then  (/  • g){n)  = 0(h{n)l{n)). 

(v)  ( reflexivity ) f{n)  = 0{f(n)). 

(vi)  ( transitivity ) If  f(n)  = 0(g(n))  and  g{n)  = 0{h(n)),  then  /(n)  = 0(h(n)). 


2.57  Fact  ( approximations  of  some  commonly  occurring  functions) 

(i)  (polynomial  function)  If  f(n)  is  a polynomial  of  degree  k with  positive  leading  term, 
then  f(n)  = 0(nfc). 

(ii)  For  any  constant  c > 0,  logc  n = 0(lgn). 

(iii)  (Stirling’s  formula)  For  all  integers  n > 1, 

'n\"+(1/(12")) 


2nn 


© 


< n\  < 2nn 


©’ 


Thus  nl  = '27 rn  (f )”  (l  + 0(^)).  Also,  n ! = o{nn)  and  rii  = fl(2”). 
(iv)  lg(n!)  = 0(nlg?z). 


2.58  Example  (comparative  growth  rates  of  some  functions)  Let  e and  c be  arbitrary  constants 
with  0 < e < 1 < c.  The  following  functions  are  listed  in  increasing  order  of  their  asymp- 
totic growth  rates: 

1 < In  hi  n < Inn  < exp(  Inn  In  Inn)  < ne  < nc  < nlnn  < c."  < nn  < cc” . □ 


2.3.3  Complexity  classes 

2.59  Definition  A polynomial-time  algorithm  is  an  algorithm  whose  worst-case  running  time 
function  is  of  the  form  0(nk),  where  n is  the  input  size  and  & is  a constant.  Any  algorithm 
whose  running  time  cannot  be  so  bounded  is  called  an  exponential-time  algorithm. 

Roughly  speaking,  polynomial-time  algorithms  can  be  equated  with  good  or  efficient 
algorithms,  while  exponential-time  algorithms  are  considered  inefficient.  There  are,  how- 
ever, some  practical  situations  when  this  distinction  is  not  appropriate.  When  considering 
polynomial-time  complexity,  the  degree  of  the  polynomial  is  significant.  For  example,  even 
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though  an  algorithm  with  a running  time  of  0(nln  ln  "),  n being  the  input  size,  is  asymptot- 
ically slower  that  an  algorithm  with  a running  time  of  0(n100),  the  former  algorithm  may 
be  faster  in  practice  for  smaller  values  of  n,  especially  if  the  constants  hidden  by  the  big-O 
notation  are  smaller.  Furthermore,  in  cryptography,  average-case  complexity  is  more  im- 
portant than  worst-case  complexity  — a necessary  condition  for  an  encryption  scheme  to 
be  considered  secure  is  that  the  corresponding  cryptanalysis  problem  is  difficult  on  average 
(or  more  precisely,  almost  always  difficult),  and  not  just  for  some  isolated  cases. 

2.60  Definition  A subexponential-time  algorithm  is  an  algorithm  whose  worst-case  running 
time  function  is  of  the  form  e°(n\  where  n is  the  input  size. 

A subexponential-time  algorithm  is  asymptotically  faster  than  an  algorithm  whose  run- 
ning time  is  fully  exponential  in  the  input  size,  while  it  is  asymptotically  slower  than  a 
polynomial-time  algorithm. 

2.61  Example  ( subexponential  running  time)  Let  A be  an  algorithm  whose  inputs  are  either 
elements  of  a finite  field  ¥q  (see  §2.6),  or  an  integer  q.  If  the  expected  running  time  of  A is 
of  the  form 

Lq[a,c]  = O (exp  ((c  + o(l))(lnq)a(lnlnq)1_a))  , (2.3) 

where  c is  a positive  constant,  and  ct  is  a constant  satisfying  0 < a < 1,  then  A is  a 
subexponential-time  algorithm.  Observe  that  for  a = 0,  Lq[ 0,  c]  is  a polynomial  in  In q, 
while  for  a = 1,  Lq[l,  c]  is  a polynomial  in  q,  and  thus  fully  exponential  in  In  q.  □ 

For  simplicity,  the  theory  of  computational  complexity  restricts  its  attention  to  deci- 
sion problems,  i.e.,  problems  which  have  either  YES  or  NO  as  an  answer.  This  is  not  too 
restrictive  in  practice,  as  all  the  computational  problems  that  will  be  encountered  here  can 
be  phrased  as  decision  problems  in  such  a way  that  an  efficient  algorithm  for  the  decision 
problem  yields  an  efficient  algorithm  for  the  computational  problem,  and  vice  versa. 

2.62  Definition  The  complexity  class  P is  the  set  of  all  decision  problems  that  are  solvable  in 
polynomial  time. 

2.63  Definition  The  complexity  class  NP  is  the  set  of  all  decision  problems  for  which  a YES 
answer  can  be  verified  in  polynomial  time  given  some  extra  information,  called  a certificate. 

2.64  Definition  The  complexity  class  co-NP  is  the  set  of  all  decision  problems  for  which  a NO 
answer  can  be  verified  in  polynomial  time  using  an  appropriate  certificate. 

It  must  be  emphasized  that  if  a decision  problem  is  in  NP,  it  may  not  be  the  case  that  the 
certificate  of  a YES  answer  can  be  easily  obtained;  what  is  asserted  is  that  such  a certificate 
does  exist,  and,  if  known,  can  be  used  to  efficiently  verify  the  YES  answer.  The  same  is 
true  of  the  NO  answers  for  problems  in  co-NP. 

2.65  Example  (problem  in  NP)  Consider  the  following  decision  problem: 

COMPOSITES 

INSTANCE:  A positive  integer  n. 

QUESTION:  Is  n composite?  That  is,  are  there  integers  a,b>  1 such  that  n = abl 

COMPOSITES  belongs  to  NP  because  if  an  integer  n is  composite,  then  this  fact  can  be 
verified  in  polynomial  time  if  one  is  given  a divisor  a of  n,  where  1 < a < n (the  certificate 
in  this  case  consists  of  the  divisor  a).  It  is  in  fact  also  the  case  that  COMPOSITES  belongs 
to  co-NP.  It  is  still  unknown  whether  or  not  COMPOSITES  belongs  to  P.  □ 
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2.66  Fact  P C NP  and  P C co-NP. 

The  following  are  among  the  outstanding  unresolved  questions  in  the  subject  of  com- 
plexity theory: 

1.  Is  P = NP? 

2.  Is  NP  = co-NP? 

3.  Is  P = NP  n co-NP? 

Most  experts  are  of  the  opinion  that  the  answer  to  each  of  the  three  questions  is  NO,  although 
nothing  along  these  lines  has  been  proven. 

The  notion  of  reducibility  is  useful  when  comparing  the  relative  difficulties  of  prob- 
lems. 

2.67  Definition  Let  L\  and  L->  be  two  decision  problems.  L\  is  said  to  polytime  reduce  to  L 2, 
written  L±  <p  Z,2,  if  there  is  an  algorithm  that  solves  L\  which  uses,  as  a subroutine,  an 
algorithm  for  solving  L->.  and  which  runs  in  polynomial  time  if  the  algorithm  for  L > does. 

Informally,  if  L\  <p  L->,  then  L->  is  at  least  as  difficult  as  L\,  or,  equivalently,  L 1 is 
no  harder  than  L->. 

2.68  Definition  Let  L\  and  L->  be  two  decision  problems.  If  L\  <p  L2  and  L>  <p  L L , then 
L 1 and  L2  are  said  to  be  computationally  equivalent. 

2.69  Fact  Let  L 1,  L>.  and  L:i  be  three  decision  problems. 

(i)  ( transitivity ) If  L\  <p  L-2  and  L2  <p  L3,  then  L 1 <p  L3. 

(ii)  If  L\  <p  L2  and  L2  G P,  then  Li  G P. 

2.70  Definition  A decision  problem  L is  said  to  be  NP-complete  if 

(i)  L G NP,  and 

(ii)  Li  <p  L for  every  Li  G NP. 

The  class  of  all  NP-complete  problems  is  denoted  by  NPC. 

NP-complete  problems  are  the  hardest  problems  in  NP  in  the  sense  that  they  are  at 
least  as  difficult  as  every  other  problem  in  NP.  There  are  thousands  of  problems  drawn  from 
diverse  fields  such  as  combinatorics,  number  theory,  and  logic,  that  are  known  to  be  NP- 
complete. 

2.71  Example  ( subset  sum  problem)  The  subset  sum  problem  is  the  following:  given  a set  of 

positive  integers  {a  1,  o2, . . . , o„  } and  a positive  integer  s,  determine  whether  or  not  there 
is  a subset  of  the  o,  that  sum  to  s.  The  subset  sum  problem  is  NP-complete.  □ 

2.72  Fact  Let  L\  and  L > be  two  decision  problems. 

(i)  If  Li  is  NP-complete  and  L\  G P,  then  P = NP. 

(ii)  If  L\  G NP,  L->  is  NP-complete,  and  L->  <p  L\,  then  L\  is  also  NP-complete. 

(iii)  If  Li  is  NP-complete  and  L-\  G co-NP,  then  NP  = co-NP. 

By  Fact  2.72(i),  if  a polynomial-time  algorithm  is  found  for  any  single  NP-complete 
problem,  then  it  is  the  case  that  P = NP,  a result  that  would  be  extremely  surprising.  Hence, 
a proof  that  a problem  is  NP-complete  provides  strong  evidence  for  its  intractability.  Fig- 
ure 2.2  illustrates  what  is  widely  believed  to  be  the  relationship  between  the  complexity 
classes  P,  NP,  co-NP,  and  NPC. 

Fact  2.72(h)  suggests  the  following  procedure  for  proving  that  a decision  problem  L\ 
is  NP-complete: 
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Figure  2.2:  Conjectured  relationship  between  the  complexity  classes  P,  NP,  co-NP,  and  NPC. 


1.  Prove  that  L±  E NP. 

2.  Select  a problem  L2  that  is  known  to  be  NP-complete. 

3.  Prove  that  L2  <p  L±. 

2.73  Definition  A problem  is  NP -hard  if  there  exists  some  NP-complete  problem  that  polytime 
reduces  to  it. 

Note  that  the  NP-hard  classification  is  not  restricted  to  only  decision  problems.  Ob- 
serve also  that  an  NP-complete  problem  is  also  NP-hard. 

2.74  Example  (NP -hard  problem ) Given  positive  integers  ai,a2,. . . , an  and  a positive  inte- 

ger s,  the  computational  version  of  the  subset  sum  problem  would  ask  to  actually  find  a 
subset  of  the  a.j  which  sums  to  s,  provided  that  such  a subset  exists.  This  problem  is  NP- 
hard.  □ 


2.3.4  Randomized  algorithms 

The  algorithms  studied  so  far  in  this  section  have  been  deterministic ; such  algorithms  fol- 
low the  same  execution  path  ( sequence  of  operations)  each  time  they  execute  with  the  same 
input.  By  contrast,  a randomized  algorithm  makes  random  decisions  at  certain  points  in 
the  execution;  hence  their  execution  paths  may  differ  each  time  they  are  invoked  with  the 
same  input.  The  random  decisions  are  based  upon  the  outcome  of  a random  number  gen- 
erator. Remarkably,  there  are  many  problems  for  which  randomized  algorithms  are  known 
that  are  more  efficient,  both  in  terms  of  time  and  space,  than  the  best  known  deterministic 
algorithms. 

Randomized  algorithms  for  decision  problems  can  be  classified  according  to  the  prob- 
ability that  they  return  the  correct  answer. 

2.75  Definition  Let  A be  a randomized  algorithm  for  a decision  problem  L , and  let  I denote 
an  arbitrary  instance  of  L. 

(i)  A has  O-sided  error  if  P(A  outputs  YES  j J’s  answer  is  YES  ) = 1,  and 
P{A  outputs  YES  j P s answer  is  NO  ) = 0. 

(ii)  A has  1 -sided  error  if  P(A  outputs  YES  j /' s answer  is  YES  ) > and 
P{A  outputs  YES  | I' s answer  is  NO  ) = 0. 
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(iii)  A has  2-sided  error  if  P(A  outputs  YES  j /’ s answer  is  YES  ) > |,  and 
P(A  outputs  YES  | F s answer  is  NO  ) < |. 

The  number  | in  the  definition  of  1 -sided  error  is  somewhat  arbitrary  and  can  be  re- 
placed by  any  positive  constant.  Similarly,  the  numbers  | and  | in  the  definition  of  2-sided 
error,  can  be  replaced  by  | + e and  ^ — e,  respectively,  for  any  constant  e,  0 < e < i. 

2.76  Definition  The  expected  running  time  of  a randomized  algorithm  is  an  upper  bound  on  the 
expected  running  time  for  each  input  (the  expectation  being  over  all  outputs  of  the  random 
number  generator  used  by  the  algorithm),  expressed  as  a function  of  the  input  size. 

The  important  randomized  complexity  classes  are  defined  next. 


2.77  Definition  (randomized  complexity  classes) 

(i)  The  complexity  class  ZPP  (“zero-sided  probabilistic  polynomial  time”)  is  the  set  of 
all  decision  problems  for  which  there  is  a randomized  algorithm  with  0-sided  error 
which  runs  in  expected  polynomial  time. 

(ii)  The  complexity  class  RP  (“randomized  polynomial  time”)  is  the  set  of  all  decision 
problems  for  which  there  is  a randomized  algorithm  with  1 -sided  error  which  runs  in 
(worst-case)  polynomial  time. 

(iii)  The  complexity  class  BPP  (“bounded  error  probabilistic  polynomial  time”)  is  the  set 
of  all  decision  problems  for  which  there  is  a randomized  algorithm  with  2-sided  error 
which  runs  in  (worst-case)  polynomial  time. 


2.78  Fact  P C ZPP  C RP  C BPP  and  RP  C NP. 


2.4  Number  theory 


2.4.1  The  integers 

The  set  of  integers  {. . . , —3,  —2,  — 1, 0, 1,  2, 3, . . . } is  denoted  by  the  symbol  Z. 

2.79  Definition  Let  a,  b be  integers.  Then  a divides  b (equivalently:  a is  a divisor  of  b,  or  a is 
a factor  of  b)  if  there  exists  an  integer  c such  that  b = ac.  If  a divides  6,  then  this  is  denoted 
by  a | b. 

2.80  Example  (i)  — 3|18,  since  18  = (-3)(-6).  (ii)  173j0,  since  0 = (173)(0).  □ 

The  following  are  some  elementary  properties  of  divisibility. 


2.81 


Fact  (properties  of  divisibility)  For  all  a,  b,  c G Z,  the  following  are  true: 

(i)  a\a. 

(ii)  If  a\b  and  b\c , then  a\c, 

(iii)  If  a\b  and  o|c,  then  a\(bx  + cy)  for  all  x,  y G Z. 

(iv)  If  a\b  and  b\a,  then  a = ±b. 
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2.82  Definition  ( division  algorithm  for  integers)  If  a and  b are  integers  with  b > 1,  then  or- 
dinary long  division  of  a by  b yields  integers  q (the  quotient)  and  r (the  remainder)  such 
that 

a = qb  + r,  where  0 < r < b. 

Moreover,  q and  r are  unique.  The  remainder  of  the  division  is  denoted  a mod  b , and  the 
quotient  is  denoted  a div  b. 

2.83  Fact  Let  a,b  e Z with  b f 0.  Then  a div  b = \_a/b\  and  a mod  b = a — b[a/b\ . 

2.84  Example  If  a = 73,  b — 17,  then  q = 4 and  r = 5.  Hence  73  mod  17  = 5 and 

73  div  17  = 4.  □ 

2.85  Definition  An  integer  c is  a common  divisor  of  a and  b if  c\a  and  c b. 

2.86  Definition  A non-negative  integer  d is  the  greatest  common  divisor  of  integers  a and  b, 
denoted  d = gcd(a,  6),  if 

(i)  d is  a common  divisor  of  a and  6;  and 

(ii)  whenever  c\a  and  c\b,  then  c\d. 

Equivalently,  gcd(a,  b)  is  the  largest  positive  integer  that  divides  both  a and  6,  with  the  ex- 
ception that  gcd(0, 0)  = 0. 

2.87  Example  The  common  divisors  of  12  and  18  are  {±1,  ±2,  ±3,  ±6},  and  gcd(12, 18)  = 6. 

□ 


2.88 


2.89 

2.90 

2.91 

2.92 


2.93 

2.94 

2.95 


Definition  A non-negative  integer  d is  the  least  common  multiple  of  integers  a and  6,  de- 
noted d = lcm(a,  b),  if 

(i)  a\d  and  b\d\  and 

(ii)  whenever  a|c  and  b\c,  then  d\c. 

Equivalently,  lcm(a,  b)  is  the  smallest  non-negative  integer  divisible  by  both  a and  b. 

Fact  If  a and  b are  positive  integers,  then  lcm(a,  b)  = a ■ 6/  gcd(a,  b). 

Example  Since  gcd(12, 18)  = 6,  it  follows  that  lcm(12, 18)  = 12  ■ 18/6  = 36.  □ 

Definition  Two  integers  a and  b are  said  to  he  relatively  prime  or  coprime  if  gcd(a,  b)  = 1. 

Definition  An  integer  p > 2 is  said  to  be  prime  if  its  only  positive  divisors  are  1 and  p. 
Otherwise,  p is  called  composite. 

The  following  are  some  well  known  facts  about  prime  numbers. 

Fact  Ifp  is  prime  and  p\ab,  then  either  p\a  or  p\b  (or  both). 

Fact  There  are  an  infinite  number  of  prime  numbers. 

Fact  ( prime  number  theorem)  Let  n(x ) denote  the  number  of  prime  numbers  < x.  Then 

, 7 t(x) 

lim  — = 1. 

K-i-oo  x lnx 
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This  means  that  for  large  values  of  x,  tt(x)  is  closely  approximated  by  the  expres- 
sion xj  In x.  For  instance,  when  x = 1010,  ir{x)  = 455, 052,  511,  whereas  \x/\a.x\  = 
434,  294, 481.  A more  explicit  estimate  for  n(x)  is  given  below. 


2.96  Fact  Let  n(x)  denote  the  number  of  primes  < x.  Then  for  x > 17 


and  for  x > 1 


r(x)  > 


lnx 


7r(x)  < 1.25506-—. 

lnx 


2.97  Fact  (fundamental  theorem  of  arithmetic)  Every  integer  n > 2 has  a factorization  as  a 
product  of  prime  powers: 

n=pefP2 

where  the  pt  are  distinct  primes,  and  the  e,  are  positive  integers.  Furthermore,  the  factor- 
ization is  unique  up  to  rearrangement  of  factors. 


2.98  Fact  If  a = pfp'rf  ■ • ■ pekk , b = p^p^2  ■ ■ • pjf,  where  each  e*  > 0 and  /j  > 0,  then 
gcd(a,  b ) = 


and 

lem (o,  b)  = p^(^h)p^(e2,h)  . . .pmax(efc,/fe)_ 


2.99  Example  Let  a = 4864  = 28  • 19,  b = 3458  = 2 • 7 • 13  • 19.  Then  gcd(4864, 3458)  = 
2 • 19  = 38  and  lcm(4864, 3458)  = 28  • 7 • 13  ■ 19  = 442624.  □ 


2.100  Definition  For  n > 1,  let  o(n)  denote  the  number  of  integers  in  the  interval  [1,  n]  which 
are  relatively  prime  to  n.  The  function  <p  is  called  the  Euler  phi  function  (or  the  Euler  totient 
function). 


2.101  Fact  (properties  of  Euler  phi  function) 

(i)  If  p is  a prime,  then  c = p — 1. 

(ii)  The  Euler  phi  function  is  multiplicative.  That  is,  if  gcd(m,  n)  = 1,  then  = 

4>(m)  ■ 4>{n). 

(iii)  If  n = p^p^2  ■ ■ -plk  is  the  prime  factorization  of  n , then 


4>{n) 


Fact  2.102  gives  an  explicit  lower  bound  for  <j>(n). 


2.102  Fact  For  all  integers  n > 5, 


<f>(n)  > 


n 

6 In  In  n 
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2.4.2  Algorithms  in  Z 

Let  a and  b be  non-negative  integers,  each  less  than  or  equal  to  n.  Recall  (Example  2.51) 
that  the  number  of  bits  in  the  binary  representation  of  n is  |_lgnj  + b and  this  number  is 
approximated  by  lg  n.  The  number  of  bit  operations  for  the  four  basic  integer  operations  of 
addition,  subtraction,  multiplication,  and  division  using  the  classical  algorithms  is  summa- 
rized in  Table  2.1.  These  algorithms  are  studied  in  more  detail  in  § 14.2.  More  sophisticated 
techniques  for  multiplication  and  division  have  smaller  complexities. 


Operation 

Bit  complexity 

Addition  a + b 

Subtraction  a — b 

Multiplication  a ■ b 

Division  a = qb  + r 

0(lg  a + lg6)  = 0(lg  n) 
0(lga  + lg&)  = 0(lg  n) 
0((lgo)(lg6))  = 0((lgn)2) 

0((lgg)(lg6))  = G((lgn)2) 

Table  2.1:  Bit  complexity  of  basic  operations  in  Z. 

The  greatest  common  divisor  of  two  integers  a and  b can  be  computed  via  Fact  2.98. 
However,  computing  a gcd  by  first  obtaining  prime -power  factorizations  does  not  result  in 
an  efficient  algorithm,  as  the  problem  of  factoring  integers  appears  to  be  relatively  diffi- 
cult. The  Euclidean  algorithm  (Algorithm  2.104)  is  an  efficient  algorithm  for  computing 
the  greatest  common  divisor  of  two  integers  that  does  not  require  the  factorization  of  the 
integers.  It  is  based  on  the  following  simple  fact. 

2.103  Fact  If  a and  b are  positive  integers  with  a > b , then  gcd(o,  b)  = gcd(6,  a mod  b). 


2.1 04  Algorithm  Euclidean  algorithm  for  computing  the  greatest  common  divisor  of  two  integers 

INPUT:  two  non-negative  integers  a and  b with  a > b. 

OUTPUT:  the  greatest  common  divisor  of  a and  b. 

1.  While  b 0 do  the  following: 

1.1  Set  rtr- a mod  b.  a^b.  b-^r. 

2.  Return) a). 


2.105  Fact  Algorithm  2.104  has  a running  time  of  0((lg  n)2)  bit  operations. 

2.106  Example  ( Euclidean  algorithm ) The  following  are  the  division  steps  of  Algorithm  2.104 
for  computing  gcd(4864, 3458)  = 38: 


4864  = 

1 ■ 3458  + 1406 

3458  = 

2 • 1406  + 646 

1406  = 

2-646  + 114 

646  = 

5 • 114+76 

114  = 

1-76  + 38 

76  = 

2-38  + 0. 
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The  Euclidean  algorithm  can  be  extended  so  that  it  not  only  yields  the  greatest  common 
divisor  d of  two  integers  a and  b,  but  also  integers  x and  y satisfying  ax  + by  = d. 


2.107  Algorithm  Extended  Euclidean  algorithm 

INPUT:  two  non-negative  integers  a and  b with  a > b. 

OUTPUT:  d = gcd(a,  b)  and  integers  x,  y satisfying  ax  + by  = d. 

1.  If  b = 0 then  set  d<—  a,  art— 1,  y<r- 0,  and  return(d,x,t/). 

2.  SetX2<— 1,  xi<—  0,  y2<—0,  j/iX — 1. 

3.  While  b > 0 do  the  following: 

3.1  q^[a/b\,  r^a-qb,  xt-x2  - qx1,  y^y2  - qyi- 

3.2  a«—  b.  b*—r,  x2<—xi,  xi<—x,  y2<—yi,  and  yi<—y. 

4.  Set  d<—a,  x<—x2,  yr-y2,  and  return(d,x,j/). 


2.108  Fact  Algorithm  2.107  has  a running  time  of  0((lg  n)2)  bit  operations. 

2.109  Example  ( extended  Euclidean  algorithm ) Table  2.2  shows  the  steps  of  Algorithm  2.107 

with  inputs  a = 4864  and  b = 3458.  Hence  gcd(4864, 3458)  = 38  and  (4864)  (32)  + 
(3458)(— 45)  = 38.  □ 


q 

r 

X 

y 

a 

b 

X2 

Xi 

V2 

Vi 

- 

- 

- 

- 

4864 

3458 

l 

0 

0 

1 

l 

1406 

1 

-l 

3458 

1406 

0 

l 

1 

-1 

2 

646 

-2 

3 

1406 

646 

l 

-2 

-1 

3 

2 

114 

5 

-7 

646 

114 

-2 

5 

3 

-7 

5 

76 

-27 

38 

114 

76 

5 

-27 

-7 

38 

1 

38 

32 

-45 

76 

38 

-27 

32 

38 

-45 

2 

0 

-91 

128 

38 

0 

32 

-91 

-45 

128 

Table  2.2:  Extended  Euclidean  algorithm  (Algorithm  2.107)  with  inputs  a = 4864,  b = 3458. 


Efficient  algorithms  for  gcd  and  extended  gcd  computations  are  further  studied  in  § 14.4. 


2.4.3  The  integers  modulo  n 

Let  n be  a positive  integer. 

2.110  Definition  If  a and  b are  integers,  then  a is  said  to  be  congruent  to  b modulo  n,  written 
a = b (mod  n),  if  n divides  ( a — b ).  The  integer  n is  called  the  modulus  of  the  congruence. 

2.1 1 1 Example  (i)  24  = 9 (mod  5)  since  24  — 9 = 3 • 5. 

(ii)  —11  = 17  (mod  7)  since  —11  — 17  = — 4 • 7.  □ 

2.1 1 2 Fact  ( properties  of  congruences)  For  all  a,  a-i,  b,  bi,  c E Z,  the  following  are  true. 

(i)  a = b (mod  n)  if  and  only  if  a and  b leave  the  same  remainder  when  divided  by  n. 

(ii)  ( reflexivity ) a = a (mod  n). 

(iii)  ( symmetry ) If  a = b (mod  n)  then  b = a (mod  n). 
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(iv)  ( transitivity ) If  a = b (mod  n)  and  b = c (mod  n),  then  a = c (mod  n). 

(v)  If  a = oi  (mod  n)  and  b = b i (mod  n),  then  a + b = ai  + bi  (mod  n)  and 
ab  = a±bi  (mod  n). 

The  equivalence  class  of  an  integer  a is  the  set  of  all  integers  congruent  to  a modulo 
n.  From  properties  (ii),  (iii),  and  (iv)  above,  it  can  be  seen  that  for  a fixed  n the  relation  of 
congruence  modulo  n partitions  Z into  equivalence  classes.  Now,  if  a = qn  + r,  where 
0 < r < n,  then  a = r (mod  n).  Hence  each  integer  a is  congruent  modulo  n to  a unique 
integer  between  0 and  n — 1,  called  the  least  residue  of  a modulo  n.  Thus  a and  r are  in  the 
same  equivalence  class,  and  so  r may  simply  be  used  to  represent  this  equivalence  class. 

2.113  Definition  The  integers  modulo  n,  denoted  Z„,  is  the  set  of  (equivalence  classes  of)  in- 
tegers {0,1,2,...  , n — 1}.  Addition,  subtraction,  and  multiplication  in  Z„  are  performed 
modulo  n. 

2.114  Example  Z25  = {0, 1,  2, ...  , 24}.  In  Z25,  13  + 16  = 4,  since  13  + 16  = 29  ee  4 

(mod  25).  Similarly,  13  • 16  = 8 in  Z25.  □ 

2.115  Definition  Let  a G Z„ . The  multiplicative  inverse  of  a modulo  n is  an  integer  x G Z7J 
such  that  ax  = 1 (mod  n).  If  such  an  x exists,  then  it  is  unique,  and  a is  said  to  be  invert- 
ible, or  a unit ; the  inverse  of  a is  denoted  by  a-1. 

2.1 1 6 Definition  Let  a,  b G Z„.  Division  of  a by  b modulo  n is  the  product  of  a and  h 1 modulo 
n,  and  is  only  defined  if  b is  invertible  modulo  n. 

2.1 17  Fact  Let  a G Z„ . Then  a is  invertible  if  and  only  if  gcd(o,  n)  = 1. 

2.118  Example  The  invertible  elements  in  Zg  are  1,  2,  4,  5,  7,  and  8.  For  example,  4 1 = 7 

because  4-7=1  (mod  9).  □ 

The  following  is  a generalization  of  Fact  2.1 17. 

2.119  Fact  Let  d = gcd(o,  n).  The  congruence  equation  ax  = b (mod  n)  has  a solution  x if 
and  only  if  d divides  b,  in  which  case  there  are  exactly  d solutions  between  0 and  n 1; 
these  solutions  are  all  congruent  modulo  n/d. 

2.120  Fact  ( Chinese  remainder  theorem,  CRT)  If  the  integers  n\,  n2, . . . , rif.  are  pairwise  rela- 
tively prime,  then  the  system  of  simultaneous  congruences 

x = a i (mod  n\) 

x = o2  (mod  ?r2) 

x = Ofc  (mod  nk) 

has  a unique  solution  modulo  n = nin2  • • • nk- 

2.121  Algorithm  ( Gauss’s  algorithm ) The  solution  x to  the  simultaneous  congruences  in  the 
Chinese  remainder  theorem  (Fact  2.120)  may  be  computed  as  x = Yli=i  ai^iMi  mod  n, 
where  JVj  = n/n.j  and  Mj  = A}  1 mod  n,j.  These  computations  can  be  performed  in 
0((lg  n )2)  bit  operations. 
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Another  efficient  practical  algorithm  for  solving  simultaneous  congruences  in  the  Chinese 
remainder  theorem  is  presented  in  §14.5. 

2.122  Example  The  pair  of  congruences  x = 3 (mod  7),  x = 7 (mod  13)  has  a unique  solu- 
tion x = 59  (mod  91).  □ 

2.123  Fact  Ifgcd(ni,ri2)  = 1,  then  the  pair  of  congruences  x = a (mod  ni),x  = a (mod  0,2) 
has  a unique  solution  x = a (mod  n-ir^). 

2.124  Definition  The  multiplicative  group  of  Z„  is  Z*  = {a  £ Z7l  | gcdfa.  n)  = 1}.  In 
particular,  if  n is  a prime,  then  Z*  = {a  j 1 < a < n — 1}. 

2.125  Definition  The  order  of  Z*  is  defined  to  be  the  number  of  elements  in  Z* , namely  ]Z*  |. 

It  follows  from  the  definition  of  the  Euler  phi  function  (Definition  2.100)  that  |Z*  | = 
4>{n).  Note  also  that  if  a £ Z*  and  b £ Z* , then  a ■ b £ Z*,  and  so  Z*  is  closed  under 
multiplication. 

2.126  Fact  Let  n > 2 be  an  integer. 

(i)  ( Euler’s  theorem)  If  a £ Z*,  then  = 1 (mod  n). 

(ii)  If  n is  a product  of  distinct  primes,  and  if  r = s (mod  <f>(n)),  then  ar  = as  (mod  n) 
for  all  integers  a.  In  other  words,  when  working  modulo  such  an  n,  exponents  can 
be  reduced  modulo  <t>{n). 

A special  case  of  Euler’s  theorem  is  Fermat’s  (little)  theorem. 

2.127  Fact  Let  p be  a prime. 

(i)  ( Fermat’s  theorem ) If  gcd(o,p)  = 1,  then  aP s 1 (mod  p). 

(ii)  If  r*‘fe  s (mod  p — 1),  then  ar  = as  (mod  p)  for  all  integers  a.  In  other  words, 
when  working  modulo  a prime  p,  exponents  can  be  reduced  modulo  p — 1. 

(iii)  In  particular,  aP  = a (mod  p)  for  all  integers  a. 

2.1 28  Definition  Let  a £ Z* . The  order  of  a,  denoted  ord(o),  is  the  least  positive  integer  t such 
that  a * = 1 (mod  n). 

2.129  Fact  If  the  order  of  a £ Z*  is  t,  and  as  = 1 (mod  n),  then  t divides  s.  In  particular, 

t\4>{n). 

2.130  Example  Let  n = 21.  Then  Z^  = {1,2,4,5,8,10,11,13,16,17,19,20}.  Note  that 
(f>( 21)  = <p(7)<p(3)  = 12  = jZ^  |.  The  orders  of  elements  in  Z?21  are  listed  in  Table  2.3.  □ 


■a— ■! 

IB 

ii 

B 

m 

m 

10 

11 

13 

16 

17 

19 

20 

order  of  a 

IB 

Q 

O 

B 

m 

6 

6 

2 

3 

6 

6 

2 

Table  2.3:  Orders  of  elements  in  Zji. 


2.131  Definition  Let  a £ Z* . If  the  order  of  a is  then  a is  said  to  be  a generator  or  a 
primitive  element  of  Z* . If  Z*  has  a generator,  then  Z*  is  said  to  be  cyclic. 
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2.132  Fact  [properties  of  generators  ofZ*n) 

(i)  Z*  has  a generator  if  and  only  if  n = 2, 4 ,pk  or  2 pk,  where  p is  an  odd  prime  and 
k > 1.  In  particular,  if  p is  a prime,  then  Z*  has  a generator. 

(ii)  If  a is  a generator  of  Z* , then  Z*  = {a*  mod  n | 0 < i < 4>{n)  — 1}. 

(iii)  Suppose  that  a is  a generator  of  Z* . Then  b = a'  mod  n is  also  a generator  of  Z* 
if  and  only  if  gcd(i,  4>(n))  = 1.  It  follows  that  if  Z * is  cyclic,  then  the  number  of 
generators  is  (p((p(n)). 

(iv)  a £ Z*  is  a generator  of  Z*  if  and  only  if  q^OO/p  ^ 1 (mod  n)  for  each  prime 
divisor  p of  c t>(n). 

2.133  Example  Z^  is  not  cyclic  since  it  does  not  contain  an  element  of  order  21)  = 12  (see 

Table  2.3);  note  that  21  does  not  satisfy  the  condition  of  Fact  2.132(i).  On  the  other  hand, 
Z^5  is  cyclic,  and  has  a generator  a = 2.  □ 

2.134  Definition  Let  a,  £ Z* . a is  said  to  be  a quadratic  residue  modulo  n,  or  a square  modulo 
n,  if  there  exists  an  x £ Z*  such  that  x2  = a (mod  n).  If  no  such  x exists,  then  a is  called 
a quadratic  non-residue  modulo  n.  The  set  of  all  quadratic  residues  modulo  n is  denoted 
by  Qn  and  the  set  of  all  quadratic  non-residues  is  denoted  by  Qn. 

Note  that  by  definition  0 (7  Z* , whence  0 ^ Qn  and  0 0 Qn. 

2.135  Fact  Let  p be  an  odd  prime  and  let  a be  a generator  of  Z*.  Then  a £ Z*  is  a quadratic 
residue  modulo  p if  and  only  if  a = a'  mod  p,  where  i is  an  even  integer.  It  follows  that 
\Qp\  = ip  — l)/2  and  \Qp\  = (p  l)/2;  that  is,  half  of  the  elements  in  Z*  are  quadratic 
residues  and  the  other  half  are  quadratic  non-residues. 

2.136  Example  a = 6 is  a generator  of  Z(3.  The  powers  of  a are  listed  in  the  following  table. 


% 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

a1  mod  13 

1 

IT 

10 

8 

IT 

~2~ 

12 

~T 

3 

5 

4 

11 

Hence  Qis  = {1, 3, 4, 9, 10, 12}  and  Q13  = {2,5,6,7,8,11}.  □ 

2.137  Fact  Let  n be  a product  of  two  distinct  odd  primes  p and  q,  n = pq.  Then  a £ Z*  is  a 
quadratic  residue  modulo  n if  and  only  if  a £ Qp  and  a £ Qq.  It  follows  that  Qn  = 

\Qp\  ■ \Qq\  = (P  ~ !)(«  - 1)/ 4 and  \Qn\  =3 (p  - l)(g  - l)/4. 

2.138  Example  Letn  = 21.  ThenQ21  = {1, 4, 16}  and  Q21  = {2,5,8,10,11,13,17,19,20}. 

□ 

2.139  Definition  Let  a £ Qn.  If  X £ Z*  satisfies  x2  = a (mod  n ),  then  x is  called  a square 
root  of  a modulo  n. 

2.140  Fact  (number  of  square  roots) 

(i)  If  p is  an  odd  prime  and  a £ Qp , then  a has  exactly  two  square  roots  modulo  p. 

(ii)  More  generally,  let  n = p'-f  p'.)2  ■ ■ ■ p'f  where  the  p,  are  distinct  odd  primes  and  e,  > 
1.  If  a £ Qn,  then  a has  precisely  2k  distinct  square  roots  modulo  n. 

2.1 41  Example  The  square  roots  of  12  modulo  37  are  7 and  30.  The  square  roots  of  121  modulo 

315  are  11,  74,  101, 151,  164,  214,  241,  and  304.  □ 

©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§2.4  Number  theory 


71 


2.4.4  Algorithms  in  7Ln 


Let  n be  a positive  integer.  As  before,  the  elements  of  Zn  will  be  represented  by  the  integers 

{0,1,2,..,  ,n-l}. 

Observe  that  if  a,b  £ Zn,  then 


(o  + b ) mod  n = 


o + 6,  if  o + b < n. 

a + b — n,  if  a + b > n. 


Hence  modular  addition  (and  subtraction)  can  be  performed  without  the  need  of  a long  di- 
vision. Modular  multiplication  of  a and  b may  be  accomplished  by  simply  multiplying  a 
and  b as  integers,  and  then  taking  the  remainder  of  the  result  after  division  by  n.  Inverses 
in  Z„  can  be  computed  using  the  extended  Euclidean  algorithm  as  next  described. 


2.142  Algorithm  Computing  multiplicative  inverses  in  Zn 
INPUT:  a € Z„. 

OUTPUT:  a -1  mod  n,  provided  that  it  exists. 

1 . Use  the  extended  Euclidean  algorithm  ( Algorithm  2. 107)  to  find  integers  x and  y such 
that  ax  + ny  = d,  where  d = gcd(o,  n). 

2.  If  d > 1,  then  a 1 mod  n does  not  exist.  Otherwise,  return(x). 


Modular  exponentiation  can  be  performed  efficiently  with  the  repeated  square-and- 
multiply  algorithm  (Algorithm  2.143),  which  is  crucial  for  many  cryptographic  protocols. 
One  version  of  this  algorithm  is  based  on  the  following  observation.  Let  the  binary  repre- 
sentation of  k be  where  each  kj  £ {0, 1}.  Then 

ak  = JJafc<2>  = (a2°)fc°(o2l)fcl  • • • {a2‘ )kt . 
i= o 


2.143  Algorithm  Repeated  square-and-multiply  algorithm  for  exponentiation  in  Zn 

INPUT:  a £ Z„,  and  integer  0 < k < n whose  binary  representation  is  k = fc,;2l. 

OUTPUT:  ak  mod  n. 

1.  Set  6^—1.  If  k = 0 then  return(6). 

2.  Set  a. 

3.  If  &o  = 1 then  set  b<r- a. 

4.  For  i from  1 to  t do  the  following: 

4.1  Set  A<—A2  mod  n. 

4.2  If  ki  = 1 then  set  A ■ b mod  n. 

5.  Return(/j). 


2.1 44  Example  (modular  exponentiation)  Table  2.4  shows  the  steps  involved  in  the  computation 
of  5596  mod  1234  = 1013.  □ 

The  number  of  bit  operations  for  the  basic  operations  in  Z„  is  summarized  in  Table  2.5. 
Efficient  algorithms  for  performing  modular  multiplication  and  exponentiation  are  further 
examined  in  §14.3  and  §14.6. 
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m 

IQ 

1 1 

2 

3 

4 

5 

6 

7 

8 

9 

191 

IO 

1 

0 

1 

0 

1 

0 

0 

1 

Ell 

625 

681 

1011 

369 

421 

779 

947 

925 

rai 

IB 

1 

625 

625 

67 

67 

1059 

1059 

1059 

1013 

Table  2.4:  Computation  of  5596  mod  1234. 


Operation 

Bit  complexity 

Modular  addition 

(a  + b)  mod  n 

Modular  subtraction 

(i a — b)  mod  n 

Modular  multiplication 

( a ■ b)  mod  n 

Modular  inversion 

a-1  mod  n 

Modular  exponentiation 

ak  mod  n.  k < n 

Table  2.5:  Bit  complexity  of  basic  operations  in  rLn- 


2.4.5  The  Legendre  and  Jacobi  symbols 

The  Legendre  symbol  is  a useful  tool  for  keeping  track  of  whether  or  not  an  integer  a is  a 
quadratic  residue  modulo  a prime  p. 


2.145  Definition  Let  p be  an  odd  prime  and  a an  integer.  The  Legendre  symbol  ((()  is  defined 
to  be 


0,  if  p\a, 

1 , if  O'  C.  Q p , 
-1,  if  a € Qp. 


2.146  Fact  ( properties  of  Legendre  symbol)  Let  p be  an  odd  prime  and  a,  b G Z.  Then  the  Leg- 
endre symbol  has  the  following  properties: 

(i)  (|)  = a(p~1'>/2  (mod  p).  In  particular,  (i)  = 1 and  (-H)  = (— l)!?’-1)/2.  Hence 
— 1 E Qp  ifp  = 1 (mod  4),  and  — 1 £ Qp  ifp  = 3 (mod  4). 

(ii)  (f)  = (|)  Hence  if  o e Zj,  then  (f)  = 1. 

(iii)  If  a = b (mod  p),  then  (j)  = (|). 

(iv)  (|)  = (— 1)(p2-1V8_  Hence  (|)  = 1 ifp  = 1 or  7 (mod  8),  and  (|)  = —1  ifp  = 3 
or  5 (mod  8). 

(v)  ( law  of  quadratic  reciprocity)  If  q is  an  odd  prime  distinct  from  p,  then 

© = (f)(-i)('-'»*-l/4. 

In  other  words,  (-)  = (-)  unless  both  p and  q are  congruent  to  3 modulo  4,  in  which 
case  (f)  =-(§). 

The  Jacobi  symbol  is  a generalization  of  the  Legendre  symbol  to  integers  n which  are 
odd  but  not  necessarily  prime. 
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2.147  Definition  Let  n > 3 he  odd  with  prime  factorization  n = 1 pf  ■ ■ ■ pf . Then  the  Jacobi 

symbol  is  defined  to  be 


Observe  that  if  n is  prime,  then  the  Jacobi  symbol  is  just  the  Legendre  symbol. 

2.148  Fact  (properties  of  Jacobi  symbol ) Let  m > 3,  n > 3 be  odd  integers,  and  a,b  E Z.  Then 
the  Jacobi  symbol  has  the  following  properties: 

(i)  (L)  = 0, 1,  or  — 1.  Moreover,  = 0 if  and  only  if  gcd(a,  n)  f 1. 

(ii)  (0  = 0 0- Hence  if  « e-  z;,  then  0)  = 1. 

(“)  (t0  = (00- 

(iv)  If  a = b (mod  n),  then  (^)  = (£). 

(v)  0 = L 

(vi)  (^)  = (— 1)(?J-1V2.  Hence  = 1 if  n s 1 (mod  4),  and  (^)  = — 1 if  n = 3 

(mod  4). 

(vii)  (^)  = (— 1)(”2-1)/8.  Hence  (Z)  = 1 if  n = 1 or  7 (mod  8),  and  (^)  = — 1 if 
n = 3 or  5 (mod  8). 

(viii)  (f^j  = (^)(— 1)  (TO-1)^"-1)/4.  In  other  words,  (^)  = (^-)  unless  both  rn  and  n are 
congruent  to  3 modulo  4,  in  which  case  (f1)  = — (fp)  . 

By  properties  of  the  Jacobi  symbol  it  follows  that  if  n is  odd  and  a = 2'  cti  where  ai 
is  odd,  then 

This  observation  yields  the  following  recursive  algorithm  for  computing  ((() , which  does 
not  require  the  prime  factorization  of  n. 


2.149  Algorithm  Jacobi  symbol  (and  Legendre  symbol)  computation 
JACOBI(a,n) 

INPUT:  an  odd  integer  n > 3,  and  an  integer  a,  0 < a < n. 

OUTPUT:  the  Jacobi  symbol  (f)  (and  hence  the  Legendre  symbol  when  n is  prime). 

1.  If  a = 0 then  return! 0). 

2.  If  a = 1 then  return)  1). 

3.  Write  a = 2eai,  where  cii  is  odd. 

4.  If  e is  even  then  set  si—  1.  Otherwise  set  si—  1 if  n = 1 or  7 (mod  8),  or  set  si 1 

if  n = 3 or  5 (mod  8). 

5.  If  n = 3 (mod  4)  and  ai  = 3 (mod  4)  then  set  si s. 

6.  Set  ni<—  n mod  a\. 

7.  If  ai  = 1 then  return!  ,s);  otherwise  return) s ■ JACOBI(ni,ai)). 


2.150  Fact  Algorithm  2.149  has  a running  time  of  0((lg  n)2)  bit  operations. 
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2.151  Remark  (finding  quadratic  non-residues  modulo  a prime  p ) Let  p denote  an  odd  prime. 
Even  though  it  is  known  that  half  of  the  elements  in  Z*  are  quadratic  non-residues  modulo 
]>  (see  Fact  2.135),  there  is  no  deterministic  polynomial-time  algorithm  known  for  finding 
one.  A randomized  algorithm  for  finding  a quadratic  non-residue  is  to  simply  select  random 
integers  a E Z*  until  one  is  found  satisfying  (Jj)  = —1.  The  expected  number  iterations 
before  a non-residue  is  found  is  2,  and  hence  the  procedure  takes  expected  polynomial-time. 


2.152  Example  (Jacobi  symbol  computation)  For  a = 158  and  n = 235,  Algorithm  2. 149  com- 
putes the  Jacobi  symbol  as  follows: 


AV2L u V- 


235/  V235 


S)(-l)76'T8/4=  ( = )=-!■ 


V 79  / 


(-1) 


78-234/4 


77 


77 


□ 


Unlike  the  Legendre  symbol,  the  Jacobi  symbol  (7)  does  not  reveal  whether  or  not  a 
is  a quadratic  residue  modulo  n.  It  is  indeed  true  that  if  a E Q„  , then  (fij  = 1.  However, 
= 1 does  not  imply  that  a E Qn. 


2.153  Example  (quadratic  residues  and  non-residues)  Table  2.6  lists  the  elements  in  Z^  and 
their  Jacobi  symbols.  Recall  from  Example  2.138  that  Q21  = {1,4,16}.  Observe  that 
(A)  = 1 but  5 ^ Q21.  □ 


CL  G ^21 

1 

2 

4 

5 

8 

10 

11 

13 

16 

17 

19 

20 

a 2 mod  n 

1 

4 

16 

4 

1 

16 

16 

1 

4 

16 

4 

1 

(t) 

1 

-1 

1 

-1 

-1 

1 

-1 

1 

1 

-1 

1 

-1 

(7) 

1 

1 

1 

-1 

1 

-1 

1 

-1 

1 

-1 

-1 

-1 

(&) 

1 

-1 

1 

1 

-1 

-1 

-1 

-1 

1 

1 

-1 

1 

Table  2.6:  Jacobi  symbols  of  elements  in  Z21. 


2.154  Definition  Let  n > 3 be  an  odd  integer,  and  let  — {a  E Z*  | (/-]  = 1}.  The  set  of 
pseudosquares  modulo  n , denoted  Qn,  is  defined  to  be  the  set  Jn  — Qn. 

2.155  Fact  Let  n = pq  be  a product  of  two  distinct  odd  primes.  Then  \Qn\  = \Qn I = (p  ~ 
1)  (q  — l)/4;  that  is,  half  of  the  elements  in  ./„  are  quadratic  residues  and  the  other  half  are 
pseudosquares. 


2.4.6  Blum  integers 

2.156  Definition  A Blum  integer  is  a composite  integer  of  the  form  n = pq,  where  p and  q are 
distinct  primes  each  congruent  to  3 modulo  4. 

2.157  Fact  Let  n = pq  be  a Blum  integer,  and  let  a E Qn.  Then  a has  precisely  four  square 
roots  modulo  n,  exactly  one  of  which  is  also  in  Qn. 


2.158  Definition  Let  n be  a Blum  integer  and  let  a E Qn.  The  unique  square  root  of  a in  Qn  is 
called  the  principal  square  root  of  a modulo  n. 
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2.159  Example  (Blum  integer)  For  the  Blum  integer  n = 21,  Jn  = {1, 4,  5, 16, 17,  20}  and 
Qn  = {5, 17,  20}.  The  four  square  roots  of  a = 4 are  2,  5,  16,  and  19,  of  which  only  16  is 
also  in  Q 21.  Thus  16  is  the  principal  square  root  of  4 modulo  21.  □ 


2.160  Fact  If  n = pq  is  a Blum  integer,  then  the  function  / : Qn  — > Qn  defined  by  f(x)  — 
x 2 mod  n is  a permutation.  The  inverse  function  of  / is: 

f~1(x)  = i((!’“1K9-1)+4)/8  mod  n. 


2.5  Abstract  algebra 

This  section  provides  an  overview  of  basic  algebraic  objects  and  their  properties,  for  refer- 
ence in  the  remainder  of  this  handbook.  Several  of  the  definitions  in  §2.5.1  and  §2.5.2  were 
presented  earlier  in  §2.4.3  in  the  more  concrete  setting  of  the  algebraic  structure  Z* . 

2.161  Definition  A binary  operation  * on  a set  S'  is  a mapping  from  S x S to  S.  That  is,  * is  a 
rule  which  assigns  to  each  ordered  pair  of  elements  from  S an  element  of  S. 


2.5.1  Groups 

2.162  Definition  A group  ( G , *)  consists  of  a set  G with  a binary  operation  * on  G satisfying 
the  following  three  axioms. 

(i)  The  group  operation  is  associative.  That  is,  a.*(b*c)  = (a  *b)*c  for  all  a,  b,c  £ G. 

(ii)  There  is  an  element  1 G G,  called  the  identity  element,  such  that  a * 1 = 1 * a = a 
for  all  a £ G. 

(iii)  For  each  a G G there  exists  an  element  a-1  £ G,  called  the  inverse  of  a,  such  that 
a * a-1  = a-1  * a = 1. 

A group  G is  abelian  (or  commutative)  if,  furthermore, 

(iv)  a * b = b * a for  all  a,  b £ G. 

Note  that  multiplicative  group  notation  has  been  used  for  the  group  operation.  If  the 
group  operation  is  addition,  then  the  group  is  said  to  be  an  additive  group,  the  identity  ele- 
ment is  denoted  by  0,  and  the  inverse  of  a is  denoted  —a. 

Henceforth,  unless  otherwise  stated,  the  symbol  * will  be  omitted  and  the  group  oper- 
ation will  simply  be  denoted  by  juxtaposition. 

2.1 63  Definition  A group  G is  finite  if  |G|  is  finite.  The  number  of  elements  in  a finite  group  is 
called  its  order. 

2.1 64  Example  The  set  of  integers  Z with  the  operation  of  addition  forms  a group.  The  identity 

element  is  0 and  the  inverse  of  an  integer  a is  the  integer  —0.  □ 

2.165  Example  The  set  Zn,  with  the  operation  of  addition  modulo  n,  forms  a group  of  order 
n.  The  set  Z„  with  the  operation  of  multiplication  modulo  n is  not  a group,  since  not  all 
elements  have  multiplicative  inverses.  However,  the  set  Z*  (see  Definition  2. 124)  is  a group 
of  order  <p(n)  under  the  operation  of  multiplication  modulo  n,  with  identity  element  1.  □ 
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2.1 66  Definition  A non-empty  subset  H of  a group  G is  a subgroup  of  G if  H is  itself  a group 
with  respect  to  the  operation  of  G.  If  H is  a subgroup  of  G and  H -7  G,  then  H is  called  a 
proper  subgroup  of  G. 

2.1 67  Definition  A group  G is  cyclic  if  there  is  an  element  a G G such  that  for  each  b G G there 

is  an  integer  i with  b = a1.  Such  an  element  a is  called  a generator  of  G. 

2.1 68  Fact  If  G is  a group  and  a G G,  then  the  set  of  all  powers  of  a forms  a cyclic  subgroup  of 

G , called  the  subgroup  generated  by  a,  and  denoted  by  (a). 

2.1 69  Definition  Let  G be  a group  and  a C G.  The  order  of  a is  defined  to  be  the  least  positive 
integer  t such  that  a*  = 1,  provided  that  such  an  integer  exists.  If  such  a t does  not  exist, 
then  the  order  of  a is  defined  to  be  oo. 

2.170  Fact  Let  G be  a group,  and  let  o G G be  an  element  of  finite  order  t.  Then  |(o}|,  the  size 
of  the  subgroup  generated  by  a,  is  equal  to  t. 

2.1 71  Fact  ( Lagrange ’s  theorem ) If  G is  a finite  group  and  H is  a subgroup  of  G,  then  \H\  divides 
|G|.  Hence,  if  a G G,  the  order  of  a divides  |G|. 

2.172  Fact  Every  subgroup  of  a cyclic  group  G is  also  cyclic.  In  fact,  if  G is  a cyclic  group  of 
order  n,  then  for  each  positive  divisor  d of  n,  G contains  exactly  one  subgroup  of  order  d. 

2.173  Fact  Let  G be  a group. 

(i)  If  the  order  of  a G G is  t , then  the  order  of  ak  is  t/  gcd(f,  k). 

(ii)  If  G is  a cyclic  group  of  order  n and  d\n,  then  G has  exactly  4>(d)  elements  of  order 

d.  In  particular,  G has  <p(n)  generators. 

2.174  Example  Consider  the  multiplicative  group  Z{9  = {1,2,...  , 18}  of  order  18.  The  group 

is  cyclic  (Fact  2. 1 32(i)),  and  a generator  is  a = 2.  The  subgroups  of  Z}9,  and  their  gener- 
ators, are  listed  in  Table  2.7.  □ 


Subgroup 

Generators 

Order 

{1} 

1 

1 

{1,18} 

18 

2 

{1,7,11} 

7,11 

3 

{1,7,8,11,12,18} 

8,12 

6 

{1,4,5,6,7,9,11,16,17} 

4,  5,  6,  9, 16,17 

9 

{1,2,3,...  ,18} 

2,3,10,13, 14, 15 

18 

Table  2.7 : The  subgroups  ofL\g 


2.5.2  Rings 

2.175  Definition  A ring  (R,  +,  x)  consists  of  a set  R with  two  binary  operations  arbitrarily  de- 
noted + (addition)  and  x (multiplication)  on  R , satisfying  the  following  axioms. 

(i)  (R,  +)  is  an  abelian  group  with  identity  denoted  0. 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§2.5  Abstract  algebra 


77 


(ii)  The  operation  x is  associative.  That  is,  ax  (fixe)  = (a  x b)  x c for  all  a,  b,c  E R. 

(iii)  There  is  a multiplicative  identity  denoted  1,  with  1 A 0,  such  that  1 X a = a x 1 = a 
for  all  a E R. 

(iv)  The  operation  x is  distributive  over  +.  That  is,  a x (b  + c)  = (a  x b)  + ( a x c ) and 
fi  + c)  x a = fi  x a)  + (c  x o)  for  all  a,  b,c  E R. 

The  ring  is  a commutative  ring  if  a x b = b x a for  all  a,  b E R. 

2.1 76  Example  The  set  of  integers  Z with  the  usual  operations  of  addition  and  multiplication  is 

a commutative  ring.  □ 

2.177  Example  The  set  Z?J  with  addition  and  multiplication  performed  modulo  n is  a commu- 
tative ring.  □ 

2.178  Definition  An  element  a of  a ring  R is  called  a unit  or  an  invertible  element  if  there  is  an 
element  b E R such  that  a x b = 1. 

2.179  Fact  The  set  of  units  in  a ring  R forms  a group  under  multiplication,  called  the  group  of 
units  of  R. 

2.180  Example  The  group  of  units  of  the  ring  Z?l  is  Z*  (see  Definition  2.124).  □ 


2.5.3  Fields 

2.1 81  Definition  A field  is  a commutative  ring  in  which  all  non-zero  elements  have  multiplica- 
tive inverses. 

m times 

2.182  Definition  The  characteristic  of  a field  is  0 if  1 + 1 + ■ • ■ + 1 is  never  equal  to  0 for  any 
m > 1.  Otherwise,  the  characteristic  of  the  field  is  the  least  positive  integer  m such  that 
YliLi  1 equals  0. 

2.183  Example  The  set  of  integers  under  the  usual  operations  of  addition  and  multiplication  is 

not  a field,  since  the  only  non-zero  integers  with  multiplicative  inverses  are  1 and  — 1.  How- 
ever, the  rational  numbers  Q,  the  real  numbers  M,  and  the  complex  numbers  C form  fields 
of  characteristic  0 under  the  usual  operations.  □ 

2.184  Fact  Z?J  is  a field  (under  the  usual  operations  of  addition  and  multiplication  modulo  n)  if 
and  only  if  n is  a prime  number.  If  n is  prime,  then  Z„  has  characteristic  n. 

2.185  Fact  If  the  characteristic  m of  a field  is  not  0,  then  m is  a prime  number. 

2.186  Definition  A subset  F of  a field  E is  a subfield  of  E if  F is  itself  a field  with  respect  to 
the  operations  of  E.  If  this  is  the  case,  E is  said  to  be  an  extension  field  of  F . 
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2.5.4  Polynomial  rings 

2.187  Definition  If  R is  a commutative  ring,  then  a polynomial  in  the  indeterminate  x over  the 
ring  R is  an  expression  of  the  form 

/ (x)  = anxn  + ■ ■ ■ + a2X2  + aix  + «o 

where  each  o*  £ R and  n > 0.  The  element  o*  is  called  the  coefficient  of  xl  in  f(x). 
The  largest  integer  m for  which  am  f 0 is  called  the  degree  of  /(x),  denoted  deg/(x); 
am  is  called  the  leading  coefficient  of  /(x).  If  /(x)  = a0  (a  constant  polynomial ) and 
a0  f 0,  then  /(x)  has  degree  0.  If  all  the  coefficients  of  fix)  are  0,  then  /(x)  is  called  the 
zero  polynomial  and  its  degree,  for  mathematical  convenience,  is  defined  to  be  — oo.  The 
polynomial  /(x)  is  said  to  be  monic  if  its  leading  coefficient  is  equal  to  1. 

2.1 88  Definition  If  R is  a commutative  ring,  the  polynomial  ring  R\x\  is  the  ring  formed  by  the 
set  of  all  polynomials  in  the  indeterminate  x having  coefficients  from  R.  The  two  opera- 
tions are  the  standard  polynomial  addition  and  multiplication,  with  coefficient  arithmetic 
performed  in  the  ring  R. 

2.189  Example  ( polynomial  ring)  Let  /(x)  = x3  + x + 1 and  g(x)  = x2  + x be  elements  of 
the  polynomial  ring  Z2  [x] . Working  in  Z2  [x] , 

/(x)  + p(x)  = x3  + x2  + 1 

and 

/(x)  • <?(x)  = X5  + X4  + X3  + X.  □ 

For  the  remainder  of  this  section,  F will  denote  an  arbitrary  field.  The  polynomial  ring 
F[x]  has  many  properties  in  common  with  the  integers  (more  precisely,  F[x]  and  Z are  both 
Euclidean  domains,  however,  this  generalization  will  not  be  pursued  here).  These  similar- 
ities are  investigated  further. 

2.190  Definition  Let  /(x)  e F[x ] be  a polynomial  of  degree  at  least  1.  Then  /(x)  is  said  to  be 
irreducible  over  F if  it  cannot  be  written  as  the  product  of  two  polynomials  in  F[x\,  each 
of  positive  degree. 

2.191  Definition  {division  algorithm  for  polynomials)  If  g{x),h{x)  € F[x],  with  h{x)  f 0, 
then  ordinary  polynomial  long  division  of  g(x)  by  h{x)  yields  polynomials  q{x)  and  r(x)  & 
F[x ] such  that 

g(x)  = q{x)h{x)  + r(x),  where  degr(x)  < deg  h{x). 

Moreover,  q{x)  and  r(x)  are  unique.  The  polynomial  q(x)  is  called  the  quotient,  while 
r (x)  is  called  the  remainder.  The  remainder  of  the  division  is  sometimes  denoted  g(x)  mod 
h(x),  and  the  quotient  is  sometimes  denoted  g{x)  div  h(x)  (cf.  Definition  2.82). 

2.192  Example  {polynomial division)  Consider  the  polynomials  g(x)  = x6+x5+x3+x2-)-x-|-l 
and  h(x)  = x4  + x3  + 1 in  Z2[x],  Polynomial  long  division  of  g(x)  by  h(x)  yields 

g[x)  = x2h(x)  + (x3  + x + 1). 

Hence  g(x)  mod  h{x)  = x3  + x + 1 and  g(x)  div  h(x)  = x2.  □ 
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2.193  Definition  If  g(x),  h(x)  G F[x]  then  h(x)  divides  g(x),  written  h(x)\g(x),  if  g(x)  mod 
h(x)  = 0. 

Let  /(x)  be  a fixed  polynomial  in  F[x].  As  with  the  integers  (Definition  2.110),  one 
can  define  congruences  of  polynomials  in  F\x\  based  on  division  by  fix). 

2.194  Definition  If  g(x),  h(x ) G F[x\,  then  g( x)  is  said  to  be  congruent  to  h(x)  modulo  f(x) 
if  /(x)  divides  g(x)  — h(x).  This  is  denoted  by  g(x)  = h(x)  (mod  f(x)). 

2.195  Fact  (properties  of  congruences)  For  all  <?(x),  h(x),  g\  (x),  hi  (x),  s(x)  G F[x],  the  fol- 
lowing are  true. 

(i)  g(x)  = h(x)  (mod  /(x))  if  and  only  if  g(x)  and  h(x)  leave  the  same  remainder 
upon  division  by  f(x). 

(ii)  ( reflexivity ) g(x)  = g(x)  (mod  /(x)). 

(iii)  ( symmetry ) If  g(x)  = h(x)  (mod  /(x)),  then  h(x)  = g{x)  (mod  /(x)). 

(iv)  ( transitivity ) If  g(x)  = h(x)  (mod  /(x))  and  h(x)  = s(x)  (mod  /(x)),  then 
g(x)  = s(x)  (mod  f(x)). 

(v)  If  g(x)  = g i(x)  (mod  /(x))  and  h(x)  = h\(x)  (mod  /(x)),  then  g(x)  + h(x)  = 
gi{x)  + hi(x)  (mod  /(x))  and  g{x)h{x)  = gi(x)hi(x)  (mod  /(x)). 

Let  f(x)  be  a fixed  polynomial  in  F [x] . The  equivalence  class  of  a polynomial  g(x)  G 
F[x\  is  the  set  of  all  polynomials  in  F[x]  congruent  to  g(x)  modulo  f(x).  From  properties 
(ii),  (iii),  and  (iv)  above,  it  can  be  seen  that  the  relation  of  congruence  modulo  /(x)  par- 
titions F[x]  into  equivalence  classes.  If  g(x)  G F\x\,  then  long  division  by  /(x)  yields 
unique  polynomials  q(x),  r(x)  G F[x]  such  that  g{x)  = q(x)f(x)  + r(x),  where  deg  r(x) 
< deg  /(x).  Hence  every  polynomial  g{x)  is  congruent  modulo  /(x)  to  a unique  polyno- 
mial of  degree  less  than  deg/(x).  The  polynomial  r(x)  will  be  used  as  representative  of 
the  equivalence  class  of  polynomials  containing  g(x). 

2.196  Definition  F[x\j (/(x))  denotes  the  set  of  (equivalence  classes  of)  polynomials  in  F[x] 
of  degree  less  than  n = deg  /(x).  Addition  and  multiplication  are  performed  modulo  /(x). 

2.197  Fact  F[x\/(f(x))  is  a commutative  ring. 

2.198  Fact  If  /(x)  is  irreducible  over  F,  then  F[x]/ (J(x))  is  a field. 


2.5.5  Vector  spaces 

2.199  Definition  A vector  space  V over  a field  F is  an  abelian  group  (Vr.  +),  together  with  a 
multiplication  operation  • : F x V — > V (usually  denoted  by  juxtaposition)  such  that  for 
all  a,  b G F and  v.  w G V,  the  following  axioms  are  satisfied. 

(i)  a(v  +w)  = av  + aw. 

(ii)  (a  + b)v  = av  + bv. 

(iii)  (ab)v  = a(bv). 

(iv)  lv  = v. 

The  elements  of  V are  called  vectors,  while  the  elements  of  F are  called  scalars.  The  group 
operation  + is  called  vector  addition,  while  the  multiplication  operation  is  called  scalar 
multiplication. 
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2.200  Definition  Let  V be  a vector  space  over  a field  .F.  A subspace  of  Lis  ail  additive  subgroup 
U of  V which  is  closed  under  scalar  multiplication,  i.e.,  av  e U for  all  a G F and  v e U. 

2.201  Fact  A subspace  of  a vector  space  is  also  a vector  space. 


2.202  Definition  Let  S = {ui,  V2,  ■ ■ • , vn}  be  a finite  subset  of  a vector  space  V over  a field  F. 

(i)  A linear  combination  of  S is  an  expression  of  the  form  aiV\  + CI2U2  + • • ■ + anvn , 
where  each  a*  € F. 

(ii)  The  span  of  S,  denoted  (S),  is  the  set  of  all  linear  combinations  of  S.  The  span  of  S 
is  a subspace  of  V. 

(iii)  If  U is  a subspace  of  V,  then  S is  said  to  span  U if  (S)  = U. 

(iv)  The  set  S is  linearly  dependent  over  F if  there  exist  scalars  ai,  0,2,  ■ ■ , , an,  not  all 
zero,  such  that  ai^i  + CI2U2  + ■ • • + anvn  = 0.  If  no  such  scalars  exist,  then  S is 
linearly  independent  over  F. 

(v)  A linearly  independent  set  of  vectors  that  spans  V is  called  a basis  for  V. 


2.203  Fact  Let  V be  a vector  space. 

(i)  If  V has  a finite  spanning  set,  then  it  has  a basis. 

(ii)  If  V has  a basis,  then  in  fact  all  bases  have  the  same  number  of  elements. 


2.204  Definition  If  a vector  space  V has  a basis,  then  the  number  of  elements  in  a basis  is  called 
the  dimension  of  V,  denoted  dim  V. 

2.205  Example  If  F is  any  field,  then  the  ?r-fold  Cartesian  product  V = F x F x ■ ■ ■ x F is  a 

vector  space  over  F of  dimension  n.  The  standard  basis  for  V is  {ei,  62,  ■ ■ ■ , e?l},  where 
e-i  is  a vector  with  a 1 in  the  ith  coordinate  and  0’s  elsewhere.  □ 


2.206  Definition  Let  E be  an  extension  field  of  F . Then  E can  be  viewed  as  a vector  space 
over  the  subfield  F,  where  vector  addition  and  scalar  multiplication  are  simply  the  field 
operations  of  addition  and  multiplication  in  E.  The  dimension  of  this  vector  space  is  called 
the  degree  of  E over  F,  and  denoted  by  [E  : F).  If  this  degree  is  finite,  then  E is  called  a 
finite  extension  of  F. 


2.207  Fact  Let  F,  E,  and  L be  fields.  If  L is  a finite  extension  of  E and  A is  a finite  extension 
of  F,  then  L is  also  a finite  extension  of  F and 

[L  : F]  = [L  : E][E  : F], 


2.6  Finite  fields 


2.6.1  Basic  properties 

2.208  Definition  A.  finite  field  is  a field  F which  contains  a finite  number  of  elements.  The  order 
of  F is  the  number  of  elements  in  E . 
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2.209  Fact  ( existence  and  uniqueness  of  finite  fields) 

(i)  If  F is  a finite  field,  then  F contains  pm  elements  for  some  prime  p and  integer  m > 1. 

(ii)  For  every  prime  power  order//",  there  is  a unique  (up  to  isomorphism)  finite  field  of 
order  pm . This  field  is  denoted  by  , or  sometimes  by  GF ( pm ) . 

Informally  speaking,  two  fields  are  isomorphic  if  they  are  structurally  the  same,  al- 
though the  representation  of  their  field  elements  may  be  different.  Note  that  if  p is  a prime 
then  Z p is  a field,  and  hence  every  field  of  order  p is  isomorphic  to  Zp.  Unless  otherwise 
stated,  the  finite  field  Fp  will  henceforth  be  identified  with  Z p. 

2.210  Fact  If  F q is  a finite  field  of  order  q = //"  , p a prime,  then  the  characteristic  of  Fq  is  p. 
Moreover,  Fg  contains  a copy  of  Zp  as  a subfield.  Hence  Fq  can  be  viewed  as  an  extension 
field  of  Z p of  degree  m. 

2.21 1 Fact  ( subfields  of  a finite  field)  Let  Fq  be  a finite  field  of  order  q = //" . Then  every  subfield 
of  Fq  has  order  p",  for  some  n that  is  a positive  divisor  of  m.  Conversely,  if  n is  a positive 
divisor  of  m,  then  there  is  exactly  one  subfield  of  Fg  of  order  pa ; an  element  a s Fq  is  in 
the  subfield  if  and  only  if  ap  = a. 

2.21 2 Definition  The  non-zero  elements  of  Fq  form  a group  under  multiplication  called  the  mul- 
tiplicative group  of  Fq,  denoted  by  F*. 

2.213  Fact  F*  is  a cyclic  group  of  order  q 1.  Hence  aq  = a for  all  a G Fg. 

2.214  Definition  A generator  of  the  cyclic  group  F*  is  called  a primitive  element  or  generator 

Of  Fq. 

2.215  Fact  If  a,  b s Fq,  a finite  field  of  characteristic  p,  then 

(o  + b)p  = aP  + bp  for  all  t > 0. 


2.6.2  The  Euclidean  algorithm  for  polynomials 

Let  Zp  be  the  finite  field  of  order  p.  The  theory  of  greatest  common  divisors  and  the  Eu- 
clidean algorithm  for  integers  carries  over  in  a straightforward  manner  to  the  polynomial 
ring  Z p\x\  (and  more  generally  to  the  polynomial  ring  F[x],  where  F is  any  field). 

2.216  Definition  Let  g(x),h{x)  G Z;j[x],  where  not  both  arc  0.  'Then  the  greatest  common  divi- 
sor of  g(x)  and  h(x),  denoted  gcd(p(x),  h(x)),  is  the  monic  polynomial  of  greatest  degree 
in  Zp[x\  which  divides  both  g(x)  and  h(x).  By  definition,  gcd(0,  0)  = 0. 

2.217  Fact  Zp[x\  is  a unique  factorization  domain.  That  is,  every  non-zero  polynomial  f(x)  € 
Zp  [ x ] has  a factorization 

f{x)  = a/i {x)eif2 (x)62  ■■■fk (x)ek, 

where  the  f fix)  are  distinct  monic  irreducible  polynomials  in  Zp  \x\ , the  e,;  are  positive  in- 
tegers, and  a F Zp.  Furthermore,  the  factorization  is  unique  up  to  rearrangement  of  factors. 

The  following  is  the  polynomial  version  of  the  Euclidean  algorithm  (cf.  Algorithm  2.104). 
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2.218  Algorithm  Euclidean  algorithm  for  zp[x] 

INPUT:  two  polynomials  g(x),  h(x)  € Zp[x\. 

OUTPUT:  the  greatest  common  divisor  of  g(x ) and  h(x). 

1.  While  h[x)  ^ 0 do  the  following: 

1.1  Set  r(x)<—  g(x)  mod  h(x),  g(x)<— /i(x),  /i(x)<S— r(x). 

2.  Return(g(x)). 


2.219  Definition  A Z p-opemtion  means  either  an  addition,  subtraction,  multiplication,  inver- 
sion, or  division  in  Zp. 

2.220  Fact  Suppose  that  deg  g{x)  < m and  deg  ft  (x)  < m.  Then  Algorithm  2.2 18  has  a running 
time  of  0(m 2)  Z^-operations,  or  equivalently,  0(m2  (lgp)2)  bit  operations. 

As  with  the  case  of  the  integers  (cf.  Algorithm  2.107),  the  Euclidean  algorithm  can  be 
extended  so  that  it  also  yields  two  polynomials  s(x)  and  t (x)  satisfying 

s{x)g(x)  + t(x)h(x ) = gcd(r/(x),  h(x)). 


2.221  Algorithm  Extended  Euclidean  algorithm  for  Zp[x\ 

INPUT:  two  polynomials  g(x),  h(x)  € Zp[x\. 

OUTPUT:  d(x)  = gcd (g(x),h(x))  and  polynomials  s(x),  t(x)  £ Zp[x ] which  satisfy 
s(x)<?(x)  + t{x)h{x)  = d(x). 

1.  If  h{x)  = 0 then  set  d(x)-*— g(x),  s(x)g- 1,  t(x)<—  0,  and  return(c?(x),s(x),f(x)). 

2.  Sets2(x)-S—  1,  si(x)<—  0,  1 2(x)<S— 0,  ti(x)<—l. 

3.  While  h(x)  ^ 0 do  the  following: 

3.1  q(x)<—  g{x)  div  h(x),  r(x)<— g(x)  — h{x)q(x). 

3.2  s(x)<— S2©)  — q(x)si  (x),  t(x)<—  t2(x)  — q{x)ti(x). 

3.3  g(x)<^h(x),  h(x)^r(x). 

3.4  S2(x)<—si(x),  «i(x)<— s(x),  t2(x)<^ t\(x),  and  t\ (x)-G-t(x). 

4.  Set  d(x)£-  g(x),  s(x)-S— S2(x),  t(x)^t.2(x). 

5.  Return(d(x),s(x),f(x)). 


2.222  Fact  (running  time  of  Algorithm  2.221) 

(i)  The  polynomials  s(x)  and  t(x)  given  by  Algorithm  2.221  have  small  degree;  that  is, 
they  satisfy  degs(x)  < deg  h(x)  and  deg  t(x)  < deg<7(x). 

(ii)  Suppose  that  deg  g (x)  < to  and  deg  ft(x)  < to.  Then  Algorithm  2.221  has  a running 
time  of  0(m2)  Zp -operations,  or  equivalently,  0(m2(\gp)2)  bit  operations. 

2.223  Example  (extended  Euclidean  algorithm  for  polynomials ) The  following  are  the  steps  of 
Algorithm  2.221  with  inputs  g(x)  = x10  + x9  + x8  + x6  + x5  + x4  + 1 and  h(x)  = 
x9  + x6  + x5  + x3  + x2  + 1 in  Z2  [x] . 

Initialization 

S2(x)<r~  1,  Sl(x)<— 0,  t2(x)<~ 0,  tl(x)<—  1. 
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Iteration  1 

q(x)-h- x + 1,  r(x)<—  Xs  + x7  + x6  + x2  + x, 
s(x)<—  1,  i(x)+-  x + 1, 

g{x)^x9  + x6  + x5  + x3  + x2  + 1,  h^x'ji — x8  + x7  + x6  + x2  + 1, 

0,  Sl(x)^—  1,  f2(x)<— 1,  X+l. 

Iteration  2 

q(x)<— x + 1,  r(x)<S— x5  + x2  + x + 1, 
s(x)<S—  x + 1,  t(x)<—  x2, 

g(xf — x8  + x7  + x6  + x2  + 1,  h(x) i — X5  + x2  + X + 1, 

•s2.(x)<  1-  Si  (x)^— X+l,  t2(x)<—  X + 1,  fi(x)«—  X2. 

Iteration  3 

q(x)<- x3  + x2  + x + 1,  r(x)^— x3  + x + 1, 
s(x)<S—  x4,  t(x)<—  X5  + x4  + X3  + x2  + X + 1, 
g(x)<S— x5  + x2  + x + 1,  h(x)<S— x3  + x + 1, 

S2(x)^— X + 1,  Si(x)-S—  X4,  f2(x)-t— X2,  ti(x)<—  X5  + x4  + X3  + X2  + X + 1. 

Iteration  4 

q(x)<-  x2  + 1,  r(x)<-  0, 

s(x)<—  x6  + x4  + x + 1,  t(x)<—  x7  + x6  + x2  + x + 1, 
g{xf — x3  + x + 1,  h(x)i—  0, 

S2(x)^— X4,  Si(x)<—  X6  + x4  + X + 1, 

t2(a;)<—  x5  + x4  + x3  + x2  + x + 1,  fi(x)+- x7  + x6  + x2  + x + 1. 

Hence  gcd(g(x),  h(x))  = x3  + x + 1 and 

(. x4)g(x ) + (xJ  + x4  + x3  + x2  + x + l)h(x)  x3  • x • 1 . □ 


2.6.3  Arithmetic  of  polynomials 

A commonly  used  representation  for  the  elements  of  a finite  field  Fg,  where  q = pm  and  p 
is  a prime,  is  a polynomial  basis  representation.  If  m = 1,  then  Fg  is  just  Zp  and  arithmetic 
is  performed  modulo  p.  Since  these  operations  have  already  been  studied  in  Section  2.4.2, 
it  is  henceforth  assumed  that  m > 2.  The  representation  is  based  on  Fact  2.198. 

2.224  Fact  Let  /(x)  € Zp[x\  be  an  irreducible  polynomial  of  degree  m.  Then  Zp[x]/(/(x))  is 
a finite  field  of  order  pm . Addition  and  multiplication  of  polynomials  is  performed  modulo 

/(+)• 

The  following  fact  assures  that  all  finite  fields  can  be  represented  in  this  manner. 

2.225  Fact  For  each  m > 1,  there  exists  a monic  irreducible  polynomial  of  degree  m over  Zp. 
Hence,  every  finite  field  has  a polynomial  basis  representation. 

An  efficient  algorithm  for  finding  irreducible  polynomials  over  finite  fields  is  presented 
in  §4.5.1.  Tables  4.6  and  4.7  list  some  irreducible  polynomials  over  the  finite  field  Z2. 

Henceforth,  the  elements  of  the  finite  field  Fpm  will  be  represented  by  polynomials  in 
Zp[x]  of  degree  < m.  If  g(x),  h(x)  £ Fpm,  then  addition  is  the  usual  addition  of  polyno- 
mials in  Zp[x].  The  product  g(x)h(x)  can  be  formed  by  first  multiplying  g(x)  and  h(x)  as 
polynomials  by  the  ordinary  method,  and  then  taking  the  remainder  after  polynomial  divi- 
sion by  /(x).  Multiplicative  inverses  in  Fpm  can  be  computed  by  using  the  extended  Eu- 
clidean algorithm  for  the  polynomial  ring  Zp[x], 
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2.226  Algorithm  Computing  multiplicative  inverses  in  Fp™ 

INPUT:  a non-zero  polynomial  g(x)  G F pm . (The  elements  of  the  field  Fp™  are  represented 
as  Z p[x]j(f(x)),  where  fix)  G Z3 ,[x]  is  an  irreducible  polynomial  of  degree  m over  Z p.) 
OUTPUT:  g{x)^1  G Fpm. 

1 . Use  the  extended  Euclidean  algorithm  for  polynomials  ( Algorithm  2.22 1 ) to  find  two 
polynomials  s(x)  and  t(x)  G Zp[x\  such  that  s{x)g{x)  + t(x)f(x)  = 1. 

2.  Return(s(x)). 


Exponentiation  in  Fpm  can  be  done  efficiently  by  the  repeated  square-and-multiply  al- 
gorithm (cf.  Algorithm  2.143). 


2.227  Algorithm  Repeated  square-and-multiply  algorithm  for  exponentiation  in  Fp™ 

INPUT:  g{x)  G Fp™  and  an  integer  0 < k < pm  — 1 whose  binary  representation  is 
k = ELo  *i2‘.  (The  field  Fp  m is  represented  as  Z p[x]/ (f(x)),  where  f{x)  G Zp[x]  is  an 
irreducible  polynomial  of  degree  m over  Zp.) 

OUTPUT:  g(x)k  mod  f(x). 

1.  Set  s(x)<— 1.  If  k = 0 then  return (s  (x)). 

2.  Set  G(x)<—g(x). 

3.  If  fco  = 1 then  set  s(x)<—g(x). 

4.  For  i from  1 to  t do  the  following: 

4.1  Set  G(x)^—  G(x)2  mod  f(x). 

4.2  If  kj,  = 1 then  set  s(x)<—G(x)  ■ s(x)  mod  f(x). 

5.  Return(s(x)). 


The  number  of  Zp -operations  for  the  basic  operations  in  Fpm  is  summarized  in  Ta- 
ble 2.8. 


Operation 

Number  of  Zp  -operations 

Addition 

g(x)  + h(x) 

0{m) 

Subtraction 

g(x)  - h(x) 

0{m) 

Multiplication 

g(x)  ■ h(x) 

0{m2) 

Inversion 

g^y1 

0(m2) 

Exponentiation 

g(x)k,  k < pm 

0((lgp)m3) 

Table  2.8:  Complexity  of  basic  operations  in  Fpm. 

In  some  applications  (cf.  §4.5.3),  it  may  be  preferable  to  use  a primitive  polynomial  to  define 
a finite  field. 

2.228  Definition  An  irreducible  polynomial  /(x)  G Zp[x]  of  degree  m is  called  a primitive 
polynomial  if  x is  a generator  of  F *m , the  multiplicative  group  of  all  the  non-zero  elements 

in  Fpm  = Zp[x\/(f(x)). 

2.229  Fact  The  irreducible  polynomial  /(x)  G Zp[x]  of  degree  m is  a primitive  polynomial  if 
and  only  if  /(x)  divides  xk  1 for  k = pm  — 1 and  for  no  smaller  positive  integer  k. 
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2.230  Fact  For  each  m > 1,  there  exists  a monic  primitive  polynomial  of  degree  m over  Zp.  In 
fact,  there  are  precisely  f>(pm  — 1 )/m  such  polynomials. 

2.231  Example  (the  finite  field  F24  of  order  16)  It  can  he  verified  (Algorithm  4.69)  that  the  poly- 
nomial f(x)  = x4  + x + 1 is  irreducible  over  Z2.  Hence  the  finite  field  F24  can  be  repre- 
sented as  the  set  of  all  polynomials  over  F2  of  degree  less  than  4.  That  is, 

F 24  = {a3x3  + a2x2  + aix  + cio  j Oj  G {0, 1}}. 

For  convenience,  the  polynomial  a.3x3  + a2x2  + a\x  + 00  is  represented  by  the  vector 
(a3a2oia0)  of  length  4,  and 

F24  = {(a3a2aia0)  | a*  G {0, 1}}. 

The  following  are  some  examples  of  field  arithmetic. 

(i)  Field  elements  are  simply  added  componentwise:  for  example,  (1011)  + (1001)  = 
(0010). 

(ii)  To  multiply  the  field  elements  (1101)  and  (1001),  multiply  them  as  polynomials  and 
then  take  the  remainder  when  this  product  is  divided  by  /(x): 

(x3  + x2  + 1)  ■ (x3  + 1)  = x6  + x5  + X2  + 1 

= x3+x2+x+l  (mod /(x)). 

Hence  (1101)  • (1001)  = (1111). 

(iii)  The  multiplicative  identity  of  F24  is  (0001). 

(iv)  The  inverse  of  (1011)  is  (0101).  To  verify  this,  observe  that 

(x3  + X + 1)  • (x2  + 1)  = x5  + X2  + X + 1 

= 1 (mod  /(x)), 

whence  (1011)  ■ (0101)  = (0001). 

/(x)  is  a primitive  polynomial,  or,  equivalently,  the  field  element  x = (0010)  is  a genera- 
tor of  Fj4.  This  may  be  checked  by  verifying  that  all  the  non-zero  elements  in  F24  can  be 
obtained  as  a powers  of  x.  The  computations  are  summarized  in  Table  2.9.  □ 

A list  of  some  primitive  polynomials  over  finite  fields  of  characteristic  two  is  given  in 
Table  4.8. 


2.7  Notes  and  further  references 

§2.1 

A classic  introduction  to  probability  theory  is  the  first  volume  of  the  book  by  Feller  [392], 
The  material  on  the  birthday  problem  (§2.1.5)  is  summarized  from  Nishimura  and  Sibuya 
[931].  See  also  Girault,  Cohen,  and  Campana  [460],  The  material  on  random  mappings 
(§2.1.6)  is  summarized  from  the  excellent  article  by  Flajolet  and  Odlyzko  [413]. 

§2.2 

The  concept  of  entropy  was  introduced  in  the  seminal  paper  of  Shannon  [ 1 1 20] . These  ideas 
were  then  applied  to  develop  a mathematical  theory  of  secrecy  systems  by  Shannon  [1121], 
Heilman  [548]  extended  the  Shannon  theory  approach  to  cryptography,  and  this  work  was 
further  generalized  by  Beauchemin  and  Brassard  [80].  For  an  introduction  to  information 
theory  see  the  books  by  Welsh  [1235]  and  Goldie  and  Pinch  [464].  For  more  complete  treat- 
ments, consult  Blahut  [144]  and  McEliece  [829]. 
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i 

x%  mod  x4  + x + 1 

vector  notation 

0 

1 

(0001) 

1 

X 

(0010) 

2 

x2 

(0100) 

3 

x3 

(1000) 

4 

X + 1 

(0011) 

5 

x2  + X 

(0110) 

6 

X3  + x2 

(1100) 

7 

X3  + x + 1 

(1011) 

8 

x2  + l 

(0101) 

9 

x3  + X 

(1010) 

10 

x2  + X + 1 

(0111) 

11 

x3  + x2  + X 

(1110) 

12 

x3  + x2  + X + 1 

(1111) 

13 

x3  + x2  + 1 

(1101) 

14 

a:3  + 1 

(1001) 

Table  2.9:  The  powers  ofx  modulo  f(x)  = x4  + x + 1. 


§2.3 

Among  the  many  introductory-level  books  on  algorithms  are  those  of  Cormen,  Leiserson, 
and  Rivest  [282],  Rawlins  [1030],  and  Sedgewick  [1105].  A recent  book  on  complexity 
theory  is  Papadimitriou  [963].  Example  2.58  is  from  Graham,  Knuth,  and  Patashnik  [520, 
p.441].  For  an  extensive  list  of  NP-complete  problems,  see  Garey  and  Johnson  [441]. 

§2.4 

Two  introductory-level  books  in  number  theory  are  Giblin  [449]  and  Rosen  [1069].  Good 
number  theory  books  at  a more  advanced  level  include  Koblitz  [697],  Hardy  and  Wright 
[540],  Ireland  and  Rosen  [572],  and  Niven  and  Zuckerman  [932].  The  most  comprehensive 
works  on  the  design  and  analysis  of  algorithms,  including  number  theoretic  algorithms,  are 
the  first  two  volumes  of  Knuth  [691,  692],  Two  more  recent  books  exclusively  devoted  to 
this  subject  are  Bach  and  Shallit  [70]  and  Cohen  [263].  Facts  2.96  and  2.102  are  due  to 
Rosser  and  Schoenfeld  [1070],  Shallit  [1108]  describes  and  analyzes  three  algorithms  for 
computing  the  Jacobi  symbol. 

§2.5 

Among  standard  references  in  abstract  algebra  are  the  books  by  Herstein  [556]  and  Hunger- 
ford  [565]. 

§2.6 

An  excellent  introduction  to  finite  fields  is  provided  in  McEliece  [830].  An  encyclopedic 
treatment  of  the  theory  and  applications  of  finite  fields  is  given  by  Fidl  and  Niederreitter 
[764],  Two  books  which  discuss  various  methods  of  representing  the  elements  of  a finite 
field  are  those  of  Jungnickel  [646]  and  Menezes  et  al.  [841], 
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3.1  Introduction  and  overview 

The  security  of  many  public-key  cryptosystems  relies  on  the  apparent  intractability  of  the 
computational  problems  studied  in  this  chapter.  In  a cryptographic  setting,  it  is  prudent  to 
make  the  assumption  that  the  adversary  is  very  powerful.  Thus,  informally  speaking,  a com- 
putational problem  is  said  to  be  easy  or  tractable  if  it  can  be  solved  in  (expected)1  polyno- 
mial time,  at  least  for  a non-negligible  fraction  of  all  possible  inputs.  In  other  words,  if  there 
is  an  algorithm  which  can  solve  a non-negligible  fraction  of  all  instances  of  a problem  in 
polynomial  time,  then  any  cryptosystem  whose  security  is  based  on  that  problem  must  be 
considered  insecure. 

The  computational  problems  studied  in  this  chapter  are  summarized  in  Table  3.1.  The 
true  computational  complexities  of  these  problems  are  not  known.  That  is  to  say,  they  are 
widely  believed  to  be  intractable,2  although  no  proof  of  this  is  known.  Generally,  the  only 
lower  bounds  known  on  the  resources  required  to  solve  these  problems  are  the  trivial  linear 
bounds,  which  do  not  provide  any  evidence  of  their  intractability.  It  is,  therefore,  of  inter- 
est to  study  their  relative  difficulties.  For  this  reason,  various  techniques  of  reducing  one 

1For  simplicity,  the  remainder  of  the  chapter  shall  generally  not  distinguish  between  deterministic  polynomial- 
time algorithms  and  randomized  algorithms  (see  §2.3.4)  whose  expected  running  time  is  polynomial. 

2More  precisely,  these  problems  are  intractable  if  the  problem  parameters  are  carefully  chosen. 
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Problem 

Description 

FACTORING 

Integer  factorization  problem',  given  a positive  integer  n,  find 
its  prime  factorization;  that  is,  write  n = p’fp’ff  . . . p tj,k  where 
the  pi  are  pairwise  distinct  primes  and  each  e,  > 1. 

RSAP 

RSA  problem  (also  known  as  RSA  inversion):  given  a positive 
integer  n that  is  a product  of  two  distinct  odd  primes  p and  q,  a 
positive  integer  e such  that  gcd(e,  (p  — l){q  — 1))  = 1,  and  an 
integer  c,  find  an  integer  m such  that  me  = c (mod  n). 

QRP 

Quadratic  residuosity  problem:  given  an  odd  composite  inte- 
ger n and  an  integer  a having  Jacobi  symbol  (©  = 1,  decide 
whether  or  not  a is  a quadratic  residue  modulo  n. 

SQROOT 

Square  roots  modulo  n:  given  a composite  integer  n and  a £ Qn 
(the  set  of  quadratic  residues  modulo  n),  find  a square  root  of  a 
modulo  n;  that  is,  an  integer  x such  that  x2  = a (mod  n). 

DLP 

Discrete  logarithm  problem:  given  a prime  p,  a generator  a of 
Z*,  and  an  element  fj  £ Z*,  find  the  integer  x,  0 < x < p — 2, 
such  that  ax  = f3  (mod  p). 

GDLP 

Generalized  discrete  logarithm  problem:  given  a finite  cyclic 
group  G of  order  n,  a generator  a of  G,  and  an  element  j3  £ G, 
find  the  integer  x,  0 < x < n — 1,  such  that  ax  = f3. 

DHP 

Diffie-Hellman  problem:  given  a prime  p,  a generator  a of  Z*, 
and  elements  aa  mod  p and  ab  mod  p,  find  aab  mod  p. 

GDHP 

Generalized  Diffie-Hellman  problem:  given  a finite  cyclic  group 
G,  a generator  a of  G,  and  group  elements  aa  and  ab,  find  aab. 

SUBSET-SUM 

Subset  sum  problem:  given  a set  of  positive  integers 

{oi,  a-2, . . . , a,n}  and  a positive  integer  s,  determine  whether  or 
not  there  is  a subset  of  the  a.j  that  sums  to  s. 

Table  3.1 : Some  computational  problems  of  cryptographic  relevance. 


computational  problem  to  another  have  been  devised  and  studied  in  the  literature.  These  re- 
ductions provide  a means  for  converting  any  algorithm  that  solves  the  second  problem  into 
an  algorithm  for  solving  the  first  problem.  The  following  intuitive  notion  of  reducibility 
(cf.  §2.3.3)  is  used  in  this  chapter. 

3.1  Definition  Let  A and  B be  two  computational  problems.  A is  said  to  polytime  reduce  to 
B.  written  A <p  B.  if  there  is  an  algorithm  that  solves  A which  uses,  as  a subroutine,  a 
hypothetical  algorithm  for  solving  B.  and  which  runs  in  polynomial  time  if  the  algorithm 
for  B does.3 

Informally  speaking,  if  A polytime  reduces  to  B.  then  B is  at  least  as  difficult  as  A; 
equivalently,  A is  no  harder  than  B.  Consequently,  if  A is  a well-studied  computational 
problem  that  is  widely  believed  to  be  intractable,  then  proving  that  A <p  B provides  strong 
evidence  of  the  intractability  of  problem  B. 

3.2  Definition  Let  A and  B be  two  computational  problems.  If  A <p  B and  B <p  A,  then 
A and  B are  said  to  be  computationally  equivalent,  written  A =p  B. 

3In  the  literature,  the  hypothetical  polynomial-time  subroutine  for  B is  sometimes  called  an  oracle  for  B. 
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Informally  speaking,  if  A =p  B then  A and  B are  either  both  tractable  or  both  in- 
tractable, as  the  case  may  be. 


Chapter  outline 

The  remainder  of  the  chapter  is  organized  as  follows.  Algorithms  for  the  integer  factoriza- 
tion problem  are  studied  in  §3.2.  Two  problems  related  to  factoring,  the  RSA  problem  and 
the  quadratic  residuosity  problem,  are  briefly  considered  in  §3.3  and  §3.4.  Efficient  algo- 
rithms for  computing  square  roots  in  Z p,  p a prime,  are  presented  in  §3.5,  and  the  equiva- 
lence of  the  problems  of  finding  square  roots  modulo  a composite  integer  n and  factoring 
n is  established.  Algorithms  for  the  discrete  logarithm  problem  are  studied  in  §3.6,  and 
the  related  Diffie-Hellman  problem  is  briefly  considered  in  §3.7.  The  relation  between  the 
problems  of  factoring  a composite  integer  n and  computing  discrete  logarithms  in  (cyclic 
subgroups  of)  the  group  Z*  is  investigated  in  §3.8.  The  tasks  of  finding  partial  solutions 
to  the  discrete  logarithm  problem,  the  RSA  problem,  and  the  problem  of  computing  square 
roots  modulo  a composite  integer  n are  the  topics  of  §3.9.  The  L 3 -lattice  basis  reduction 
algorithm  is  presented  in  §3.10,  along  with  algorithms  for  the  subset  sum  problem  and  for 
simultaneous  diophantine  approximation.  Berlekamp’s  Q- matrix  algorithm  for  factoring 
polynomials  is  presented  in  §3.11.  Finally,  §3.12  provides  references  and  further  chapter 
notes. 


3.2  The  integer  factorization  problem 

The  security  of  many  cryptographic  techniques  depends  upon  the  intractability  of  the  in- 
teger factorization  problem.  A partial  list  of  such  protocols  includes  the  RSA  public-key 
encryption  scheme  (§8.2),  the  RSA  signature  scheme  (§11.3.1),  and  the  Rabin  public-key 
encryption  scheme  (§8.3).  This  section  summarizes  the  current  knowledge  on  algorithms 
for  the  integer  factorization  problem. 

3.3  Definition  The  integer  factorization  problem  (FACTORING)  is  the  following:  given  a 
positive  integer  n,  find  its  prime  factorization;  that  is,  write  n = p'f  p'f  * ■ • pf  where  the 
Pi  are  pairwise  distinct  primes  and  each  e*  > 1. 

3.4  Remark  ( primality  testing  vs.  factoring ) The  problem  of  deciding  whether  an  integer  is 
composite  or  prime  seems  to  be,  in  general,  much  easier  than  the  factoring  problem.  Hence, 
before  attempting  to  factor  an  integer,  the  integer  should  be  tested  to  make  sure  that  it  is 
indeed  composite.  Primality  tests  are  a main  topic  of  Chapter  4. 

3.5  Remark  ( splitting  vs.  factoring)  A non-trivial  factorization  of  n is  a factorization  of  the 
form  n = ab  where  1 < a < n and  1 < b < n;  a and  b are  said  to  be  non-trivial  factors 
of  n.  Here  a and  b are  not  necessarily  prime.  To  solve  the  integer  factorization  problem,  it 
suffices  to  study  algorithms  that  split  n,  that  is,  find  a non-trivial  factorization  n = ab.  Once 
found,  the  factors  a and  b can  be  tested  for  primality.  The  algorithm  for  splitting  integers  can 
then  be  recursively  applied  to  a and/or  b , if  either  is  found  to  be  composite.  In  this  manner, 
the  prime  factorization  of  n can  be  obtained. 

3.6  Note  (testing  for  perfect  powers)lf  n > 2,  it  can  be  efficiently  checked  as  follows  whether 
or  not  n is  a perfect  power , i.e.,  n = xk  for  some  integers  x > 2,  k > 2.  For  each  prime 
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p < lg  n,  an  integer  approximation  x of  is  computed.  This  can  be  done  by  performing 
a binary  search  for  x satisfying  n = xp  in  the  interval  [2 , 2 Llg  "',p- + 1 ] . The  entire  procedure 
takes  0((lg3  n)  lg  lg  lg  n)  bit  operations.  For  the  remainder  of  this  section,  it  will  always 
be  assumed  that  n is  not  a perfect  power.  It  follows  that  if  n is  composite,  then  n has  at  least 
two  distinct  prime  factors. 

Some  factoring  algorithms  are  tailored  to  perform  better  when  the  integer  n being  fac- 
tored is  of  a special  form;  these  are  called  special-purpose  factoring  algorithms.  The  run- 
ning times  of  such  algorithms  typically  depend  on  certain  properties  of  the  factors  of  n.  Ex- 
amples of  special-purpose  factoring  algorithms  include  trial  division  (§3.2.1),  Pollard's  rho 
algorithm  (§3.2.2),  Pollard’s  p—  1 algorithm  (§3.2.3),  the  elliptic  curve  algorithm  (§3.2.4), 
and  the  special  number  field  sieve  (§3.2.7).  In  contrast,  the  running  times  of  the  so-called 
general-purpose  factoring  algorithms  depend  solely  on  the  size  of  n.  Examples  of  general- 
purpose  factoring  algorithms  include  the  quadratic  sieve  (§3.2.6)  and  the  general  number 
field  sieve  (§3.2.7). 

Whenever  applicable,  special-purpose  algorithms  should  be  employed  as  they  will  gen- 
erally be  more  efficient.  A reasonable  overall  strategy  is  to  attempt  to  find  small  factors 
first,  capitalize  on  any  particular  special  forms  an  integer  may  have,  and  then,  if  all  else 
fails,  bring  out  the  general-purpose  algorithms.  As  an  example  of  a general  strategy,  one 
might  consider  the  following. 

1 . Apply  trial  division  by  small  primes  less  than  some  bound  b± . 

2.  Next,  apply  Pollard’s  rho  algorithm,  hoping  to  find  any  small  prime  factors  smaller 
than  some  bound  b2,  where  b2  > b±. 

3.  Apply  the  elliptic  curve  factoring  algorithm,  hoping  to  find  any  small  factors  smaller 
than  some  bound  63,  where  63  > 62- 

4.  Finally,  apply  one  of  the  more  powerful  general-purpose  algorithms  (quadratic  sieve 
or  general  number  field  sieve). 


3.2.1  Trial  division 

Once  it  is  established  that  an  integer  n is  composite,  before  expending  vast  amounts  of  time 
with  more  powerful  techniques,  the  first  thing  that  should  be  attempted  is  trial  division  by 
all  “small”  primes.  Here,  “small”  is  determined  as  a function  of  the  size  of  n.  As  an  extreme 
case,  trial  division  can  be  attempted  by  all  primes  up  to  77  If  this  is  done,  trial  division 
will  completely  factor  n but  the  procedure  will  take  roughly  77  divisions  in  the  worst  case 
when  n is  a product  of  two  primes  of  the  same  size.  In  general,  if  the  factors  found  at  each 
stage  are  tested  for  primality,  then  trial  division  to  factor  n completely  takes  0(p  — lg  n) 
divisions,  where  p is  the  second-largest  prime  factor  of  n. 

Fact  3.7  indicates  that  if  trial  division  is  used  to  factor  a randomly  chosen  large  integer 
n,  then  the  algorithm  can  be  expected  to  find  some  small  factors  of  n relatively  quickly,  and 
expend  a large  amount  of  time  to  find  the  second  largest  prime  factor  of  n. 

3.7  Fact  Let  n be  chosen  uniformly  at  random  from  the  interval  [1.  x_. 

(i)  If  § < a < 1,  then  the  probability  that  the  largest  prime  factor  of  n is  < xa  is 
approximately  1 + In  a.  Thus,  for  example,  the  probability  that  n has  a prime  factor 
> 7 is  In  2 rs  0.69. 

(ii)  The  probability  that  the  second-largest  prime  factor  of  n is  < x°-211‘  is  about  |. 

(iii)  The  expected  total  number  of  prime  factors  of  n is  lnln  x + 0(1).  (Ifn  = J [©',  the 
total  number  of  prime  factors  of  n is  e© 
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3.2.2  Pollard’s  rho  factoring  algorithm 

Pollard’s  rho  algorithm  is  a special-purpose  factoring  algorithm  for  finding  small  factors  of 
a composite  integer. 

Let  / : S — > iS  be  a random  function,  where  S is  a finite  set  of  cardinality  n.  Let 
xq  be  a random  element  of  S,  and  consider  the  sequence  xq,  x\.  x->.  ■ ■ ■ defined  by  Xj+i  = 
f(xj)  for  i > 0.  Since  S is  finite,  the  sequence  must  eventually  cycle,  and  consists  of  a 
tail  of  expected  length  followed  by  an  endlessly  repeating  cycle  of  expected  length 

7jTrn]%  (see  Fact  2.37).  A problem  that  arises  in  some  cryptanalytic  tasks,  including  integer 
factorization  (Algorithm  3.9)  and  the  discrete  logarithm  problem  (Algorithm  3.60),  is  of 
finding  distinct  indices  i and  j such  that  x,  = Xj  (a  collision  is  then  said  to  have  occurred). 

An  obvious  method  for  finding  a collision  is  to  compute  and  store  x,  for  i — 0,1.2,... 
and  look  for  duplicates.  The  expected  number  of  inputs  that  must  be  tried  before  a duplicate 
is  detected  is  yTm/2  (Fact  2.27).  This  method  requires  0{  'n)  memory  and  0(  'n)  time, 
assuming  the  Xj  are  stored  in  a hash  table  so  that  new  entries  can  be  added  in  constant  time. 

3.8  Note  ( Floyd’s  cycle-finding  algorithm ) The  large  storage  requirements  in  the  above  tech- 
nique for  finding  a collision  can  be  eliminated  by  using  Floyd’s  cycle-finding  algorithm. 
In  this  method,  one  starts  with  the  pair  (xi,X2),  and  iteratively  computes  (x,j,X2i)  from 
the  previous  pair  (xj_i,  £21-2),  until  xrn  = X2m  for  some  to.  If  the  tail  of  the  sequence 
has  length  A and  the  cycle  has  length  p,  then  the  first  time  that  xrn  = X‘>,,,  is  when  to  = 
p(l  + |_A/p_|).  Note  that  A < to  < A + p,  and  consequently  the  expected  running  time  of 
this  method  is  0(  rn). 

Now,  let  p be  a prime  factor  of  a composite  integer  n.  Pollard’s  rho  algorithm  for  fac- 
toring n attempts  to  find  duplicates  in  the  sequence  of  integers  xo . x\ , x-> . . . . defined  by 
xq  = 2,  Xj+i  = f(x.i)  = xj  + 1 mod  p for  i > 0.  Floyd’s  cycle-finding  algorithm  is  uti- 
lized to  find  xrn  and  X2m  such  that  xm.  = X2m  (mod  p) . Since  p divides  n but  is  unknown, 
this  is  done  by  computing  the  terms  Xj  modulo  n and  testing  if  gcd(xm  — X27n,  n)  > 1. 
If  also  gcd(xm  — X2,re,  n)  < n,  then  a non-trivial  factor  of  n is  obtained.  (The  situation 
gcd(xTO  — X2 m,  n)  = n occurs  with  negligible  probability.) 


3.9  Algorithm  Pollard’s  rho  algorithm  for  factoring  integers 

INPUT:  a composite  integer  n that  is  not  a prime  power. 

OUTPUT:  a non-trivial  factor  d of  n. 

1.  Set  a^—2,  2. 

2.  For  * = 1,2,...  do  the  following: 

2.1  Compute  a«— a2  + 1 mod  n,  b^b2  + 1 mod  n,  62  + 1 mod  n. 

2.2  Compute  d = gcd(a  — b,n). 

2.3  If  1 < d < n then  return(d)  and  terminate  with  success. 

2.4  If  d = n then  terminate  the  algorithm  with  failure  (see  Note  3.12). 


3.10  Example  (Pollard’s  rho  algorithm  for  finding  a non-trivial  factor  of  n = 455459)  The 
following  table  lists  the  values  of  variables  a,  b , and  d at  the  end  of  each  iteration  of  step  2 
of  Algorithm  3.9. 
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a 

b 

d 

5 

26 

1 

26 

2871 

1 

677 

179685 

1 

2871 

155260 

1 

44380 

416250 

1 

179685 

43670 

1 

121634 

164403 

1 

155260 

247944 

1 

44567 

68343 

743 

Hence  two  non-trivial  factors  of  455459  are  743  and  455459/743  = 613.  □ 

3.1 1 Fact  Assuming  that  the  function  f(x)  — x2  — 1 mod  p behaves  like  a random  function, 
the  expected  time  for  Pollard’s  rho  algorithm  to  find  a factor  p of  n is  ()(  p)  modular  mul- 
tiplications. This  implies  that  the  expected  time  to  find  a non-trivial  factor  of  n is  Ofn1''4) 
modular  multiplications. 

3.12  Note  (options  upon  termination  with  failure)  If  Pollard’s  rho  algorithm  terminates  with 
failure,  one  option  is  to  try  again  with  a different  polynomial  / having  integer  coefficients 
instead  of  f(x)  = x2  + 1.  For  example,  the  polynomial  f(x)  = x2  + c may  be  used  as 
long  as  c f 0,  —2. 


3.2.3  Pollard’s  p - 1 factoring  algorithm 

Pollard's  p — 1 factoring  algorithm  is  a special-purpose  factoring  algorithm  that  can  be  used 
to  efficiently  find  any  prime  factors  p of  a composite  integer  n for  which  p 1 is  smooth 
(see  Definition  3.13)  with  respect  to  some  relatively  small  bound  B. 

3.13  Definition  Let  B be  a positive  integer.  An  integer  n is  said  to  be  B-smooth , or  smooth 
with  respect  to  a bound  B,  if  all  its  prime  factors  are  < B. 

The  idea  behind  Pollard’s  p — 1 algorithm  is  the  following.  Let  B be  a smoothness 
bound.  Let  Q be  the  least  common  multiple  of  all  powers  of  primes  < B that  are  < n.  If 
ql  < n,  then  l In  q < In  n , and  so  ^<L-E?J-Thus 

Q = 

q<B 

where  the  product  is  over  all  distinct  primes  q < B.  If  pis  a prime  factor  of  n such  that  p — 1 
is  H-smooth,  then  p — 1|Q,  and  consequently  for  any  a satisfying  gcd(o,p)  = 1,  Fermat’s 
theorem  (Fact  2.127)  implies  that  aQ  = 1 (mod  p).  Hence  if  d = gcd(o<5  — 1,  n),  then 
p\d.  It  is  possible  that  d = n,  in  which  case  the  algorithm  fails;  however,  this  is  unlikely  to 
occur  if  n has  at  least  two  large  distinct  prime  factors. 
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3.14  Algorithm  Pollard’sp  — 1 algorithm  for  factoring  integers 

INPUT:  a composite  integer  n that  is  not  a prime  power. 

OUTPUT:  a non-trivial  factor  d of  n. 

1.  Select  a smoothness  bound  B. 

2.  Select  a random  integer  a,  2 < a < n — 1,  and  compute  d = gcd(o,  n).  If  d > 2 
then  return!  d). 

3.  For  each  prime  q < B do  the  following: 

3.1  Compute!  = 

3.2  Compute  a<—aql  mod  n (using  Algorithm  2.143). 

4.  Compute  d = gcd(a  — 1,  n). 

5.  If  d = 1 or  d = n,  then  terminate  the  algorithm  with  failure.  Otherwise,  return(cf). 


3.15  Example  (Pollard’s  p — 1 algorithm  for  finding  a non-trivial  factor  of  n = 19048567) 

1.  Select  the  smoothness  bound  B = 19. 

2.  Select  the  integer  a = 3 and  compute  gcd(3,  n)  = 1. 

3.  The  following  table  lists  the  intermediate  values  of  the  variables  q , l,  and  a after  each 
iteration  of  step  3 in  Algorithm  3.14: 


q 

l 

a 

2 

24 

2293244 

3 

15 

13555889 

5 

10 

16937223 

7 

8 

15214586 

11 

6 

9685355 

13 

6 

13271154 

17 

5 

11406961 

19 

5 

554506 

4.  Compute  d = gcd(554506  1 . n ) 5281. 

5.  Two  non-trivial  factors  of  n are  p = 5281  and  q = n/p  = 3607  (these  factors  are  in 
fact  prime). 

Notice  that  p—  1 = 5280  = 2s  x 3 x 5 x 11,  and  q — 1 = 3606  = 2 x 3 x 601.  That 
is,  p — 1 is  19-smooth,  while  q — 1 is  not  19-smooth.  □ 

3.16  Fact  Let  n be  an  integer  having  a prime  factor  p such  that  p 1 is  il-smooth.  The  run- 
ning time  of  Pollard's  p 1 algorithm  for  finding  the  factor  p is  0(B  In  n/  In  B)  modular 
multiplications. 

3.17  Note  ( improvements ) The  smoothness  bound  B in  Algorithm  3.14  is  selected  based  on  the 
amount  of  time  one  is  willing  to  spend  on  Pollard’s  p 1 algorithm  before  moving  on  to 
more  general  techniques.  In  practice,  B may  be  between  105  and  106.  If  the  algorithm 
terminates  with  d = 1,  then  one  might  try  searching  over  prime  numbers  q-± ,qi 
larger  than  B by  first  computing  a<—aqi  mod  n for  1 < i < l,  and  then  computing  d — 
gcd(o  — 1,  n).  Another  variant  is  to  start  with  a large  bound  B,  and  repeatedly  execute 
step  3 for  a few  primes  q followed  by  the  gcd  computation  in  step  4.  There  are  numerous 
other  practical  improvements  of  the  algorithm  (see  page  125). 
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3.2.4  Elliptic  curve  factoring 

The  details  of  the  elliptic  curve  factoring  algorithm  are  beyond  the  scope  of  this  book;  nev- 
ertheless, a rough  outline  follows.  The  success  of  Pollard’s  p 1 algorithm  hinges  on  p 1 
being  smooth  for  some  prime  divisor  p of  n;  if  no  such  p exists,  then  the  algorithm  fails. 
Observe  that  p — 1 is  the  order  of  the  group  Z* . The  elliptic  curve  factoring  algorithm  is  a 
generalization  of  Pollard’s  p — 1 algorithm  in  the  sense  that  the  group  Z*  is  replaced  by  a 
random  elliptic  curve  group  over  Zp.  The  order  of  such  a group  is  roughly  uniformly  dis- 
tributed in  the  interval  [p  + 1 — 2 'p,p+ 1 + 2 fi\.  If  the  order  of  the  group  chosen  is  smooth 
with  respect  to  some  pre-selected  bound,  the  elliptic  curve  algorithm  will,  with  high  prob- 
ability, find  a non-trivial  factor  of  n.  If  the  group  order  is  not  smooth,  then  the  algorithm 
will  likely  fail,  but  can  be  repeated  with  a different  choice  of  elliptic  curve  group. 

The  elliptic  curve  algorithm  has  an  expected  running  time  of  Lp[^,  2]  (see  Exam- 

ple 2.61  for  definition  of  Lp ) to  find  a factor  p of  n.  Since  this  running  time  depends  on 
the  size  of  the  prime  factors  of  n,  the  algorithm  tends  to  find  small  such  factors  first.  The 
elliptic  curve  algorithm  is,  therefore,  classified  as  a special-purpose  factoring  algorithm.  It 
is  currently  the  algorithm  of  choice  for  finding  f-decimal  digit  prime  factors,  for  t < 40,  of 
very  large  composite  integers. 

In  the  hardest  case,  when  n is  a product  of  two  primes  of  roughly  the  same  size,  the 
expected  running  time  of  the  elliptic  curve  algorithm  is  L„[|,  1],  which  is  the  same  as  that 
of  the  quadratic  sieve  (§3.2.6).  However,  the  elliptic  curve  algorithm  is  not  as  efficient  as 
the  quadratic  sieve  in  practice  for  such  integers. 


3.2.5  Random  square  factoring  methods 

The  basic  idea  behind  the  random  square  family  of  methods  is  the  following.  Suppose  x 
and  y are  integers  such  that  x 2 = y2  (mod  n)  but  x fk  ±y  (mod  n).  Then  n divides 
x2—y2  = (x—y){x+y)  butndoes  not  divide  either(x— y)  or(x+y).  Hence, gcd  (x—y,n) 
must  be  a non-trivial  factor  of  n.  This  result  is  summarized  next. 

3.18  Fact  Let  x,  y,  and  n be  integers.  Ifx2  = y2  (mod  n)butx  ^ ±y  (mod  n),  thengcd(x— 
y,  n)  is  a non-trivial  factor  of  n. 

The  random  square  methods  attempt  to  find  integers  x and  y at  random  so  that  x2  = y2 
(mod  n).  Then,  as  shown  in  Fact  3. 19,  with  probability  at  least  ^ it  is  the  case  that  x ^ ±y 
(mod  n),  whence  gcd(x  — y,  n)  will  yield  a non-trivial  factor  of  n. 

3.19  Fact  Let  n be  an  odd  composite  integer  that  is  divisible  by  k distinct  odd  primes.  If  a £ 
Z* , then  the  congruence  x2  = a 2 (mod  n ) has  exactly  2k  solutions  modulo  n,  two  of 
which  are  x = a and  x = a. 

3.20  Example  Let  n = 35.  Then  there  are  four  solutions  to  the  congruence  x2  = 4 (mod  35), 

namely  x = 2,  12,  23,  and  33.  □ 

A common  strategy  employed  by  the  random  square  algorithms  for  finding  x and  y at 
random  satisfying  x 2 = y2  (mod  n)  is  the  following.  A set  consisting  of  the  first  t primes 
S = {pi,p2,...  ,pt.}  is  chosen;  S is  called  the  factor  base.  Proceed  to  find  pairs  of  integers 
(oi;  hf)  satisfying 

(i)  a2  = bi  (mod  n);  and 
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(ii)  bj  = Yl] =1  Pj'3  ’ eij  — 0;  that  is,  bj  is  ^/-smooth. 

Next  find  a subset  of  the  6,  's  whose  product  is  a perfect  square.  Knowing  the  factoriza- 
tions of  the  bi  s,  this  is  possible  by  selecting  a subset  of  the  bfs  such  that  the  power  of 
each  prime  pj  appealing  in  their  product  is  even.  For  this  purpose,  only  the  parity  of  the 
non-negative  integer  exponents  e,.(  needs  to  be  considered.  Thus,  to  simplify  matters,  for 
each  i,  associate  the  binary  vector  vt  = (u,-i , vi2 , . . . ,vit)  with  the  integer  exponent  vector 
(eii;  ei2i  • ■ ■ , ei()  such  that  Vjj  = mod  2.  If  t + 1 pairs  (a,:,  bj)  are  obtained,  then  the 
t -dimensional  vectors  v\,  V2,  ■ ■ ■ , vt-  i must  be  linearly  dependent  over  Z2.  That  is,  there 
must  exist  a non-empty  subset  T C {1, 2, . . . , t + 1}  such  that  Y2ieT  Vi  ~ ® over  ^2,  anc* 
hence  Y\i^t  's  a perfect  square.  The  set  T can  be  found  using  ordinary  linear  algebra  over 
Z2.  Clearly,  . T a2  is  also  a perfect  square.  Thus  setting  x = n?eT  anc*  V to  t>e  t^le 
integer  square  root  of  bj  yields  a pair  of  integers  ( x , y)  satisfying  x2  = y2  (mod  n). 
If  this  pair  also  satisfies  x ^ ±y  (mod  n),  then  gcd(x  — y.  n)  yields  a non-trivial  factor 
of  n.  Otherwise,  some  of  the  (a, . bj)  pairs  may  be  replaced  by  some  new  such  pairs,  and 
the  process  is  repeated.  In  practice,  there  will  be  several  dependencies  among  the  vectors 
vi,V2,  ■ ■ ■ , vt+ 1,  and  with  high  probability  at  least  one  will  yield  an  (x,  y)  pair  satisfying 
x ^ ±y  (mod  n);  hence,  this  last  step  of  generating  new  (a,; . bj)  pairs  does  not  usually 
occur. 

This  description  of  the  random  square  methods  is  incomplete  for  two  reasons.  Firstly, 
the  optimal  choice  of  t,  the  size  of  the  factor  base,  is  not  specified;  this  is  addressed  in 
Note  3.24.  Secondly,  a method  for  efficiently  generating  the  pairs  (a,; . b,  ) is  not  specified. 
Several  techniques  have  been  proposed.  In  the  simplest  of  these,  called  Dixon ’s  algorithm, 
iij  is  chosen  at  random,  and  bj  = a2  mod  n is  computed.  Next,  trial  division  by  elements 
in  the  factor  base  is  used  to  test  whether  bj  is  ^/  -smooth.  If  not,  then  another  integer  a,  is 
chosen  at  random,  and  the  procedure  is  repeated. 

The  more  efficient  techniques  strategically  select  an  o*  such  that  bj  is  relatively  small. 
Since  the  proportion  of  ^/  -smooth  integers  in  the  interval  [2,x]  becomes  larger  as  x de- 
creases, the  probability  of  such  bj  being  _p/-smooth  is  higher.  The  most  efficient  of  such 
techniques  is  the  quadratic  sieve  algorithm,  which  is  described  next. 


3.2.6  Quadratic  sieve  factoring 

Suppose  an  integer  n is  to  be  factored.  Let  rn  — 'n_ , and  consider  the  polynomial  q(x)  = 

(x  + to)2  — n.  Note  that 

q(x)  = x2  + 2tox  + to2  — n « x2  + 2tox,  (3.1) 

which  is  small  (relative  to  n)  if  x is  small  in  absolute  value.  The  quadratic  sieve  algorithm 
selects  a.j  = (x  + to)  and  tests  whether  bj  = (x  + to)2  — n is  p^-smooth.  Note  that 
a2  = (x  + to)2  = bj  (mod  n).  Note  also  that  if  a prime  p divides  bj  then  (x  + to)2  = n 
(mod  p),  and  hence  n is  a quadratic  residue  modulo  p.  Thus  the  factor  base  need  only 
contain  those  primes  p for  which  the  Legendre  symbol  ((()  is  1 (Definition  2. 145).  Further- 
more, since  bj  may  be  negative,  — 1 is  included  in  the  factor  base.  The  steps  of  the  quadratic 
sieve  algorithm  are  summarized  in  Algorithm  3.21. 
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3.21  Algorithm  Quadratic  sieve  algorithm  for  factoring  integers 

INPUT:  a composite  integer  n that  is  not  a prime  power. 

OUTPUT:  a non-trivial  factor  d of  n. 

1.  Select  the  factor  base  S = {pi,P2,  ■ ■ ■ ,Pt. },  where  p\  = —1  and  pj  ( j > 2)  is  the 
(j  — l)th  prime  p for  which  n is  a quadratic  residue  modulo  p. 

2.  Compute  m = [_  rn\  ■ 

3.  ( Collect  t + 1 pairs  ( oq , bi).  The  x values  are  chosen  in  the  order  0,  ±1,  ±2, . . . .) 
Set  i<—  1.  While  i < t + 1 do  the  following: 

3.1  Compute  b = q(x)  = (x  + to)2  — n,  and  test  using  trial  division  (cf.  Note  3.23) 
by  elements  in  S whether  b isp/-smooth.  If  not,  pick  a new  x and  repeat  step  3. 1 . 

3.2  If  b ispt-smooth,  say  b = }|  . then  set  cij-t— (x  + to),  &$•<—  b,  and  Vj  = 

(vn,vi2,. . . , vu),  where  = e mod  2 for  1 < j < t. 

3.3  M-i+  1. 

4.  Use  linear  algebra  over  Z2  to  find  a non-empty  subset  T C {1,2, ...  , t + 1}  such 
that  Ei£T  vi  = °- 

5.  Compute  x = riieT  a,;  mod  n. 

6.  For  each  j , 1 < i < t,  compute  lj  = (YlieT  eij  )/2- 

7.  Compute  y = Ytj=\Pj  m°d  n. 

8.  If  x = ±y  (mod  n),  then  find  another  non-empty  subset  T C { 1,2,...  , t + 1}  such 
that  Y^ieT  v>  = 0’  anc*  g°  t°  step  5.  (In  the  unlikely  case  such  a subset  T does  not 
exist,  replace  a few  of  the  (a;  , 6,;)  pairs  with  new  pairs  (step  3),  and  go  to  step  4.) 

9.  Compute  d = gcd(x  — y,  n)  and  return(d). 


3.22  Example  (quadratic  sieve  algorithm  for  finding  a non-trivial  factor  ofn  = 24961) 

1.  Select  the  factor  base  S =?■'{— 1,  2, 3,  5, 13,  23}  of  size  t = 6.  (7,  11,  17  and  19  are 

omitted  from  S since  ({()  = 1 for  these  primes.) 

2.  Compute  to  = |_  '24961J  = 157. 

3.  Following  is  the  data  collected  for  the  first  ( + 1 values  of  x for  which  q(x)  is  23- 
smooth. 


i 

X 

q(x) 

factorization  of  q(x) 

CLi 

Vi 

1 

0 

-312 

— 23  • 3 • 13 

157 

(1,1, 1,0, 1,0) 

2 

1 

3 

3 

158 

(0,0, 1,0,  0,0) 

3 

-1 

-625 

— 54 

156 

(1,0,  0,0,  0,0) 

4 

2 

320 

26  • 5 

159 

(0,0,  0,1,  0,0) 

5 

-2 

-936 

— 23  • 32  • 13 

155 

(1,1, 0,0, 1,0) 

6 

4 

960 

26  • 3 • 5 

161 

(0,0, 1,1,  0,0) 

7 

-6 

-2160 

— 24  • 33  • 5 

151 

(1,0, 1,1,  0,0) 

4.  By  inspection,  vj  + v2  + vs  = 0.  (In  the  notation  of  Algorithm  3.21,  T = { 1,2,  5}.) 

5.  Compute  x = (010205  mod  n)  = 936. 

6.  Compute  l\  = 1,  l2  = 3, 13  = 2, 14  = 0, 15  = 1,Iq  = 0. 

7.  Compute  y = — 23  • 32  • 13  mod  n = 24025. 

8.  Since  936  = —24025  (mod  n),  another  linear  dependency  must  be  found. 

9.  By  inspection,  v%  + vq  + vj  = 0;  thus  T = {3,  6,  7}. 

10.  Compute  x = (030507  mod  n)  = 23405. 

11.  Compute  li  = 1,  l2  = 5, 13  = 2, 14  = 3, 13  = 0,Iq  = 0. 
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12.  Compute  y = (— 25  • 32  • 53  mod  n)  = 13922. 

13.  Now,  23405  ^ ±13922  (mod  n),  so  compute  gcd(x—y,  n)  = gcd(9483,  24961)  = 

109.  Hence,  two  non-trivial  factors  of  24961  are  109  and  229.  □ 

3.23  N Ote  ( sieving ) Instead  of  testing  smoothness  by  trial  division  in  step  3 . 1 of  Algorithm  3 .2 1 , 
a more  efficient  technique  known  as  sieving  is  employed  in  practice.  Observe  first  that  if  p 
is  an  odd  prime  in  the  factor  base  and  p divides  q(x ),  then  p also  divides  q(x  + Ip)  for  every 
integer  l.  Thus  by  solving  the  equation  q(x)  = 0 (mod  p)  for  x (for  example,  using  the 
algorithms  in  §3.5.1),  one  knows  either  one  or  two  (depending  on  the  number  of  solutions 
to  the  quadratic  equation)  entire  sequences  of  other  values  y for  which  p divides  q(y). 

The  sieving  process  is  the  following.  An  array  Q[  ] indexed  by  x , — M < x < M,  is 
created  and  the  xth  entry  is  initialized  to  [_lg  \q(x)  |J . Let  xi,  X2  be  the  solutions  to  q(x)  =0 
(mod  p),  where  p is  an  odd  prime  in  the  factor  base.  Then  the  value  [_lg _pj  is  subtracted 
from  those  entries  Q[x]  in  the  array  for  which  x = xi  or  x2  (mod  p)  and  — M < x < M. 
This  is  repeated  for  each  odd  prime  p in  the  factor  base.  (The  case  of  p = 2 and  prime 
powers  can  be  handled  in  a similar  manner.)  After  the  sieving,  the  array  entries  Q[x ] with 
values  near  0 are  most  likely  to  be  /^-smooth  (roundoff  errors  must  be  taken  into  account), 
and  this  can  be  verified  by  factoring  q(x)  by  trial  division. 

3.24  Note  ( running  time  of  the  quadratic  sieve)  To  optimize  the  running  time  of  the  quadratic 
sieve,  the  size  of  the  factor  base  should  be  judiciously  chosen.  The  optimal  selection  of 
t.  « Ln[ i]  (see  Example  2.61)  is  derived  from  knowledge  concerning  the  distribution 
of  smooth  integers  close  to  'n.  With  this  choice.  Algorithm  3.21  with  sieving  (Note  3.23) 
has  an  expected  running  time  of  Ln[ 1, 1],  independent  of  the  size  of  the  factors  of  n. 

3.25  Note  ( multiple  polynomial  variant)  In  order  to  collect  a sufficient  number  of  (a* , bf)  pairs, 
the  sieving  interval  must  be  quite  large.  From  equation  (3.1)  it  can  be  seen  that  jg(x)|  in- 
creases linearly  with  |x|,  and  consequently  the  probability  of  smoothness  decreases.  To 
overcome  this  problem,  a variant  (the  multiple  polynomial  quadratic  sieve)  was  proposed 
whereby  many  appropriately-chosen  quadratic  polynomials  can  be  used  instead  of  just  q(x), 
each  polynomial  being  sieved  over  an  interval  of  much  smaller  length.  This  variant  also  has 
an  expected  running  time  of  Ln[ i,  1],  and  is  the  method  of  choice  in  practice. 

3.26  Note  (parallelizing  the  quadratic  sieve)  The  multiple  polynomial  variant  of  the  quadratic 
sieve  is  well  suited  for  parallelization.  Each  node  of  a parallel  computer,  or  each  computer 
in  a network  of  computers,  simply  sieves  through  different  collections  of  polynomials.  Any 
(a, . bi ) pair  found  is  reported  to  a central  processor.  Once  sufficient  pairs  have  been  col- 
lected, the  corresponding  system  of  linear  equations  is  solved  on  a single  (possibly  parallel) 
computer. 

3.27  Note  (quadratic  sieve  vs.  elliptic  curve  factoring)  The  elliptic  curve  factoring  algorithm 
(§3.2.4)  has  the  same4  expected  (asymptotic)  running  time  as  the  quadratic  sieve  factoring 
algorithm  in  the  special  case  when  n is  the  product  of  two  primes  of  equal  size.  However, 
for  such  numbers,  the  quadratic  sieve  is  superior  in  practice  because  the  main  steps  in  the 
algorithm  are  single  precision  operations,  compared  to  the  much  more  computationally  in- 
tensive multi-precision  elliptic  curve  operations  required  in  the  elliptic  curve  algorithm. 


4This  does  not  take  into  account  the  different  o(l)  terms  in  the  two  expressions  Ln  f.  1], 
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3.2.7  Number  field  sieve  factoring 

For  several  years  it  was  believed  by  some  people  that  a running  time  of  1]  was,  in 
fact,  the  best  achievable  by  any  integer  factorization  algorithm.  This  barrier  was  broken  in 
1990  with  the  discovery  of  the  number  field  sieve.  Like  the  quadratic  sieve,  the  number  field 
sieve  is  an  algorithm  in  the  random  square  family  of  methods  (§3.2.5).  That  is,  it  attempts 
to  find  integers  x and  y such  that  x 2 = y2  (mod  n)  and  x ±y  (mod  n).  To  achieve  this 
goal,  two  factor  bases  are  used,  one  consisting  of  all  prime  numbers  less  than  some  bound, 
and  the  other  consisting  of  all  prime  ideals  of  norm  less  than  some  bound  in  the  ring  of 
integers  of  a suitably-chosen  algebraic  number  field.  The  details  of  the  algorithm  are  quite 
complicated,  and  are  beyond  the  scope  of  this  book. 

A special  version  of  the  algorithm  (the  special  number  field  sieve ) applies  to  integers 
of  the  form  n = re  — s for  small  r and  |sj,  and  has  an  expected  running  time  of  c], 
where  c = (32/9)1/3  » 1.526. 

The  general  version  of  the  algorithm,  sometimes  called  the  general  number  field  sieve, 
applies  to  all  integers  and  has  an  expected  running  time  of  Ln[j,  c],  where  c = (64/9)1/3  ~ 
1.923.  This  is,  asymptotically,  the  fastest  algorithm  known  for  integer  factorization.  The 
primary  reason  why  the  running  time  of  the  number  field  sieve  is  smaller  than  that  of  the 
quadratic  sieve  is  that  the  candidate  smooth  numbers  in  the  former  are  much  smaller  than 
those  in  the  latter. 

The  general  number  field  sieve  was  at  first  believed  to  be  slower  than  the  quadratic 
sieve  for  factoring  integers  having  fewer  than  150  decimal  digits.  However,  experiments 
in  1994-1996  have  indicated  that  the  general  number  field  sieve  is  substantially  faster  than 
the  quadratic  sieve  even  for  numbers  in  the  115  digit  range.  This  implies  that  the  crossover 
point  between  the  effectiveness  of  the  quadratic  sieve  vs.  the  general  number  field  sieve 
may  be  110-120  digits.  For  this  reason,  the  general  number  field  sieve  is  considered  the 
current  champion  of  all  general-purpose  factoring  algorithms. 


3.3  The  RSA  problem 

The  intractability  of  the  RSA  problem  forms  the  basis  for  the  security  of  the  RSA  public-key 
encryption  scheme  (§8.2)  and  the  RSA  signature  scheme  (§11.3.1). 

3.28  Definition  The  RSA  problem  (RSAP)  is  the  following:  given  a positive  integer  n that  is  a 
product  of  two  distinct  odd  primes  p and  q,  a positive  integer  e such  that  gcd(e,  (p  — 1)  (q  — 
1))  = 1,  and  an  integer  c,  find  an  integer  m such  that  me  = c (mod  n). 

In  other  words,  the  RSA  problem  is  that  of  finding  eth  roots  modulo  a composite  integer 
n.  The  conditions  imposed  on  the  problem  parameters  n and  e ensure  that  for  each  integer 
c G {0, 1, . . . ,n  — 1}  there  is  exactly  one  m 6 {0, 1, . . . , n — 1}  such  that  me  = c 
(mod  n).  Equivalently,  the  function  / : Z„  — > Z„  defined  as  f(m)  = me  mod  n is  a 
permutation. 

3.29  Remark  ( SQROOT  vs.  RSA  problems ) Since  p — 1 is  even,  it  follows  that  e is  odd.  In 
particular,  e 2,  and  hence  the  SQROOT  problem  (Definition  3.43)  is  not  a special  case 
of  the  RSA  problem. 
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As  is  shown  in  §8.2.2(i),  if  the  factors  of  n are  known  then  the  RSA  problem  can  be 
easily  solved.  This  fact  is  stated  next. 

3.30  Fact  RSAP  <P  FACTORING.  That  is,  the  RSA  problem  polytime  reduces  to  the  integer 
factorization  problem. 

It  is  widely  believed  that  the  RSA  and  the  integer  factorization  problems  are  computa- 
tionally equivalent,  although  no  proof  of  this  is  known. 


3.4  The  quadratic  residuosity  problem 

The  security  of  the  Goldwasser-Micali  probabilistic  public-key  encryption  scheme  (§8.7) 
and  the  Blum-Blum-Shub  pseudorandom  bit  generator  (§5.5.2)  are  both  based  on  the  ap- 
parent intractability  of  the  quadratic  residuosity  problem. 

Recall  from  §2.4.5  that  if  n > 3 is  an  odd  integer,  then  Jn  is  the  set  of  all  a G Z* 
having  Jacobi  symbol  1.  Recall  also  that  Qn  is  the  set  of  quadratic  residues  modulo  n and 
that  the  set  of  pseudosquares  modulo  n is  defined  by  Qn  = — Qn. 

3.31  Definition  The  quadratic  residuosity  problem  (QRP)  is  the  following:  given  an  odd  com- 
posite integer  n and  a G J„,  decide  whether  or  not  a is  a quadratic  residue  modulo  n. 

3.32  Remark  (QRP  with  a prime  modulus ) If  n is  a prime,  then  it  is  easy  to  decide  whether 
a e Z*  is  a quadratic  residue  modulo  n since,  by  definition,  a £ Qn  if  and  only  if  = 1, 
and  the  Legendre  symbol  (A)  can  be  efficiently  calculated  by  Algorithm  2.149. 

Assume  now  that  n is  a product  of  two  distinct  odd  primes  p and  q.  It  follows  from 
Fact  2.137  that  if  a £ Jn,  then  a £ Qn  if  and  only  if  = 1.  Thus,  if  the  factorization  of 
n is  known,  then  QRP  can  be  solved  simply  by  computing  the  Legendre  symbol  (^j . This 
observation  can  be  generalized  to  all  integers  n and  leads  to  the  following  fact. 

3.33  Fact  QRP  <p  FACTORING.  That  is,  the  QRP  polytime  reduces  to  the  FACTORING 
problem. 

On  the  other  hand,  if  the  factorization  of  n is  unknown,  then  there  is  no  efficient  pro- 
cedure known  for  solving  QRP,  other  than  by  guessing  the  answer.  If  n = pq,  then  the 
probability  of  a correct  guess  is  \ since  \Qn\  = \Qn\  (Fact  2.155).  It  is  believed  that  the 
QRP  is  as  difficult  as  the  problem  of  factoring  integers,  although  no  proof  of  this  is  known. 


3.5  Computing  square  roots  in  7Ln 

The  operations  of  squaring  modulo  an  integer  n and  extracting  square  roots  modulo  an  in- 
teger n are  frequently  used  in  cryptographic  functions.  The  operation  of  computing  square 
roots  modulo  n can  be  performed  efficiently  when  n is  a prime,  but  is  difficult  when  n is  a 
composite  integer  whose  prime  factors  are  unknown. 
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3.5.1  Case  (i):  n prime 

Recall  from  Remark  3.32  that  if  p is  a prime,  then  it  is  easy  to  decide  if  a £ Z*  is  a quadratic 
residue  modulo  p.  If  a is,  in  fact,  a quadratic  residue  modulo  p,  then  the  two  square  roots 
of  a can  be  efficiently  computed,  as  demonstrated  by  Algorithm  3.34. 


3.34  Algorithm  Finding  square  roots  modulo  a prime  p 

INPUT:  an  odd  prime  p and  an  integer  a,  1 < a < p — 1. 

OUTPUT:  the  two  square  roots  of  a modulo  p,  provided  a is  a quadratic  residue  modulo  p. 

1.  Compute  the  Legendre  symbol  using  Algorithm 2. 149.  If  (^)  = — 1 thenreturn(a 
does  not  have  a square  root  modulo  p)  and  terminate. 

2.  Select  integers  b,  1 < b < p — 1,  at  random  until  one  is  found  with  (|)  = — 1.  (b  is 
a quadratic  non-residue  modulo  p.) 

3.  By  repeated  division  by  2,  write  p — 1 = 2 si,  where  t is  odd. 

4.  Compute  a-1  mod  p by  the  extended  Euclidean  algorithm  (Algorithm  2.142). 

5.  Set  ct—  bl  mod  p and  r<—  aM+1^2  mod  p (Algorithm  2.143). 

6.  For  i from  I to  .s  1 do  the  following: 

6.1  Compute  d = (r2  ■ a_1)2S  ' modp. 

6.2  If  d = —1  (mod  p)  then  set  r<—  r ■ c mod  p. 

6.3  Set  c<— c2  mod  p. 

7.  Return(r,  — r). 


Algorithm  3 .34  is  a randomized  algorithm  because  of  the  manner  in  which  the  quadratic 
non-residue  b is  selected  in  step  2.  No  deterministic  polynomial-time  algorithm  for  finding 
a quadratic  non-residue  modulo  a prime  p is  known  (see  Remark  2. 151). 

3.35  Fact  Algorithm  3.34  has  an  expected  running  time  of  0((lgp)4)  bit  operations. 

This  running  time  is  obtained  by  observing  that  the  dominant  step  (step  6)  is  executed 
s — 1 times,  each  iteration  involving  a modular  exponentiation  and  thus  taking  0((lgp)3)  bit 
operations  (Table  2.5).  Since  in  the  worst  case  s = 0(\gp),  the  running  time  of  0((lgp)4) 
follows.  When  s is  small,  the  loop  in  step  6 is  executed  only  a small  number  of  times,  and 
the  running  time  of  Algorithm  3.34  is  0((lgp)3)  bit  operations.  This  point  is  demonstrated 
next  for  the  special  cases  s = 1 and  s = 2. 

Specializing  Algorithm  3.34  to  the  case  s = 1 yields  the  following  simple  deterministic 
algorithm  for  finding  square  roots  when  p = 3 (mod  4). 


3.36  Algorithm  Finding  square  roots  modulo  a prime  p where  p = 3 (mod  4) 

INPUT:  an  odd  prime  p where  p = 3 (mod  4),  and  a square  a £ Qp. 
OUTPUT:  the  two  square  roots  of  a modulo  p. 

1 . Compute  r = o^+1)/4  modp  (Algorithm  2.143). 

2.  Return(  r,  —r). 


Specializing  Algorithm  3.34  to  the  case  s = 2,  and  using  the  fact  that  2 is  a quadratic 
non-residue  modulo  p when  p = 5 (mod  8),  yields  the  following  simple  deterministic  al- 
gorithm for  finding  square  roots  when  p = 5 (mod  8). 
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3.37  Algorithm  Finding  square  roots  modulo  a prime  p where  p = 5 (mod  8) 

INPUT:  an  odd  prime  p where  p = 5 (mod  8),  and  a square  a € Qp. 
OUTPUT:  the  two  square  roots  of  a modulo  p. 

1.  Compute  d = a b3-1)/4  mod  p (Algorithm  2.143). 

2.  If  d = 1 then  compute  r = a(P+3)/8  mod  p. 

3.  If  d = p — 1 then  compute  r = 2a(4a)b3~5)/8  mod  p. 

4.  Return(r,  — r). 


3.38  Fact  Algorithms  3.36  and  3.37  have  running  times  of  0((lgp)3)  bit  operations. 

Algorithm  3.39  for  finding  square  roots  modulo  p is  preferable  to  Algorithm  3.34  when 
p — 1 = 2 st  with  s large. 


3.39  Algorithm  Finding  square  roots  modulo  a prime  p 

INPUT:  an  odd  prime  p and  a square  a £ Qp. 

OUTPUT:  the  two  square  roots  of  a modulo  p. 

1.  Choose  random  b £ Zp  until  b2  — 4 a is  a quadratic  non-residue  modulo  p,  i.e.. 


2.  Let  / be  the  polynomial  x2  — bx  + a in  Zp[x\. 

3.  Compute  r = x'b’+U/z  mod  / using  Algorithm  2.227 . (Note:  r will  be  an  integer.) 

4.  Returnfr,  — r). 


3.40  Fact  Algorithm  3.39  has  an  expected  running  time  of  0((lgp)3)  bit  operations. 

3.41  Note  (computing  square  roots  in  a finite  field)  Algorithms  3.34,  3.36,  3.37,  and  3.39  can  be 
extended  in  a straightforward  manner  to  find  square  roots  in  any  finite  field  ¥q  of  odd  order 
q = pm,  p prime,  m > 1.  Square  roots  in  finite  fields  of  even  order  can  also  be  computed 
efficiently  via  Fact  3.42. 

3.42  Fact  Each  element  a £ F2™  has  exactly  one  square  root,  namely  a2  1 . 


3.5.2  Case(ii):  11  composite 

The  discussion  in  this  subsection  is  restricted  to  the  case  of  computing  square  roots  modulo 
n,  where  n is  a product  of  two  distinct  odd  primes  p and  q.  However,  all  facts  presented 
here  generalize  to  the  case  where  n is  an  arbitrary  composite  integer. 

Unlike  the  case  where  n is  a prime,  the  problem  of  deciding  whether  a given  a e Z* 
is  a quadratic  residue  modulo  a composite  integer  n,  is  believed  to  be  a difficult  problem. 
Certainly,  if  the  Jacobi  symbol  (f)  = — 1,  then  a is  a quadratic  non-residue.  On  the  other 
hand,  if  (f)  = 1,  then  deciding  whether  or  not  a is  a quadratic  residue  is  precisely  the 
quadratic  residuosity  problem,  considered  in  §3.4. 

3.43  Definition  The  square  root  modulo  n problem  (SQROOT)  is  the  following:  given  a com- 
posite integer  n and  a quadratic  residue  a modulo  n (i.e.  a £ (),,  )■  find  a square  root  of  a 
modulo  n. 
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If  the  factors  p and  q of  n are  known,  then  the  SQROOT  problem  can  be  solved  effi- 
ciently by  first  finding  square  roots  of  a modulo  p and  modulo  q,  and  then  combining  them 
using  the  Chinese  remainder  theorem  (Fact  2.120)  to  obtain  the  square  roots  of  a modulo 
n.  The  steps  are  summarized  in  Algorithm  3.44,  which,  in  fact,  finds  all  of  the  four  square 
roots  of  a modulo  n. 


3.44  Algorithm  Finding  square  roots  modulo  n given  its  prime  factors  p and  q 

INPUT:  an  integer  n,  its  prime  factors  p and  q,  and  a € Qn. 

OUTPUT:  the  four  square  roots  of  a modulo  n. 

1.  Use  Algorithm  3.39  (or  Algorithm  3.36  or  3.37,  if  applicable)  to  find  the  two  square 
roots  r and  — r of  a modulo  p. 

2.  Use  Algorithm  3.39  (or  Algorithm  3.36  or  3.37,  if  applicable)  to  find  the  two  square 
roots  s and  — s of  a modulo  q. 

3.  Use  the  extended  Euclidean  algorithm  (Algorithm  2. 107)  to  find  integers  c and  d such 
that  cp  + dq  = 1. 

4.  Set  x<—  (rdq  + scp)  mod  n and  y<—  (rdq  — scp)  mod  n. 

5.  Return(±x  mod  n,  ±y  mod  n). 


3.45  Fact  Algorithm  3.44  has  an  expected  running  time  of  0((lgp)3)  bit  operations. 

Algorithm  3.44  shows  that  if  one  can  factor  n,  then  the  SQROOT  problem  is  easy. 
More  precisely,  SQROOT  <p  FACTORING.  The  converse  of  this  statement  is  also  tme, 
as  stated  in  Fact  3.46. 

3.46  Fact  FACTORING  <P  SQROOT.  That  is,  the  FACTORING  problem  polytime  reduces 
to  the  SQROOT  problem.  Hence,  since  SQROOT  <P  FACTORING,  the  FACTORING 
and  SQROOT  problems  are  computationally  equivalent. 

Justification.  Suppose  that  one  has  a polynomial-time  algorithm  A for  solving  the  SQ- 
ROOT problem.  This  algorithm  can  then  be  used  to  factor  a given  composite  integer  n as 
follows.  Select  an  integer  x at  random  with  gcd(x,  n)  — 1,  and  compute  a — x2  mod  n. 
Next,  algorithm  A is  run  with  inputs  a and  n,  and  a square  root  y of  a modulo  n is  returned. 
If  y = ±x  (mod  n),  then  the  trial  fails,  and  the  above  procedure  is  repeated  with  a new 
x chosen  at  random.  Otherwise,  if  y ^ ±x  (mod  n),  then  gcd(x  — y,  n)  is  guaranteed  to 
be  a non-trivial  factor  of  n (Fact  3.18),  namely,  p or  q.  Since  a has  four  square  roots  mod- 
ulo n (±x  and  ±z  with  ±z  ^ ±x  (mod  n)),  the  probability  of  success  for  each  attempt 
is  4.  Hence,  the  expected  number  of  attempts  before  a factor  of  n is  obtained  is  two,  and 
consequently  the  procedure  runs  in  expected  polynomial  time.  □ 

3.47  Note  ( strengthening  of  Fact  3.46)  The  proof  of  Fact  3.46  can  be  easily  modified  to  estab- 

lish the  following  stronger  result.  Let  c > 1 be  any  constant.  If  there  is  an  algorithm  A 
which,  given  n,  can  find  a square  root  modulo  n in  polynomial  time  for  a fraction 

of  all  quadratic  residues  a € Qn , then  the  algorithm  A can  be  used  to  factor  n in  expected 
polynomial  time.  The  implication  of  this  statement  is  that  if  the  problem  of  factoring  n is 
difficult,  then  for  almost  all  a C Qn  it  is  difficult  to  find  square  roots  modulo  n. 

The  computational  equivalence  of  the  SQROOT  and  FACTORING  problems  was  the 
basis  of  the  first  “provably  secure”  public-key  encryption  and  signature  schemes,  presented 
in  §8.3. 
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3.6  The  discrete  logarithm  problem 

The  security  of  many  cryptographic  techniques  depends  on  the  intractability  of  the  discrete 
logarithm  problem.  A partial  list  of  these  includes  Diffie-Hellman  key  agreement  and  its 
derivatives  (§12.6),  ElGamal  encryption  (§8.4),  and  the  ElGamal  signature  scheme  and  its 
variants  (§11.5).  This  section  summarizes  the  current  knowledge  regarding  algorithms  for 
solving  the  discrete  logarithm  problem. 

Unless  otherwise  specified,  algorithms  in  this  section  are  described  in  the  general  set- 
ting of  a (multiplicatively  written)  finite  cyclic  group  G of  order  n with  generator  a (see 
Definition  2. 167).  For  a more  concrete  approach,  the  reader  may  find  it  convenient  to  think 
of  G as  the  multiplicative  group  Z*  of  order  p 1,  where  the  group  operation  is  simply 
multiplication  modulo  p. 

3.48  Definition  Let  G be  a finite  cyclic  group  of  order  n.  Let  ct  be  a generator  of  G , and  let 
fj  G G.  The  discrete  logarithm  of/3  to  the  base  a,  denoted  loga  /3,  is  the  unique  integer  x, 
0 < x < n 1,  such  that  (3  = ax. 

3.49  Example  Let  p = 97.  Then  Zg7  is  a cyclic  group  of  order  n — 96.  A generator  of  Zg7  is 

a = 5.  Since  532  = 35  (mod  97),  log5  35  = 32  in  Zg7.  □ 

The  following  are  some  elementary  facts  about  logarithms. 

3.50  Fact  Let  a be  a generator  of  a cyclic  group  G of  order  n,  and  let  [3,  7 G G.  Let  s be  an 
integer.  Then  loga(/?7)  = (loga  (3  + loga  7)  mod  n and  loga(/)s)  = s loga  (3  mod  n. 

The  groups  of  most  interest  in  cryptography  are  the  multiplicative  group  F*  of  the  finite 
field  Fg  (§2.6),  including  the  particular  cases  of  the  multiplicative  group  Z*  of  the  integers 
modulo  a prime  p,  and  the  multiplicative  group  ¥/,,,  of  the  finite  field  JVm  of  characteristic 
two.  Also  of  interest  are  the  group  of  units  Z*  where  n is  a composite  integer,  the  group 
of  points  on  an  elliptic  curve  defined  over  a finite  field,  and  the  jacobian  of  a hyperelliptic 
curve  defined  over  a finite  field. 

3.51  Definition  The  discrete  logarithm  problem  (DLP)  is  the  following:  given  a prime  p,  a 
generator  a of  Z*,  and  an  element  (3  G Z*,  find  the  integer  x,  0 < x < p 2,  such  that 
ax  = (3  (mod  p). 

3.52  Definition  The  generalized  discrete  logarithm  problem  (GDLP)  is  the  following:  given  a 
finite  cyclic  group  G of  order  n,  a generator  a of  G,  and  an  element  f3  G G,  find  the  integer 

x,  0 < x < n 1 , such  that  ax  = /3. 

The  discrete  logarithm  problem  in  elliptic  curve  groups  and  in  the  jacobians  of  hyper- 
elliptic curves  are  not  explicitly  considered  in  this  section.  The  discrete  logarithm  problem 
in  Z*  is  discussed  further  in  §3.8. 

3.53  Note  ( difficulty  of  the  GDLP  is  independent  of  generator)  Let  a and  7 be  two  generators 
of  a cyclic  group  G of  order  n,  and  let  (3  G G.  Let  x = loga  (3,y  = log7  (3,  and  z = loga  7. 
Then  ax  = (3  = yy  = ( az)y . Consequently  x = zy  mod  n,  and 

log7/3  = (loga  /3)  (loga  7)-1  mod  n. 

This  means  that  any  algorithm  which  computes  logarithms  to  the  base  a can  be  used  to 
compute  logarithms  to  any  other  base  7 that  is  also  a generator  of  G. 
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3.54  Note  ( generalization  ofGDLP ) A more  general  formulation  of  the  GDLP  is  the  following: 
given  a finite  group  G and  elements  a.  3 G G,  find  an  integer  x such  that  ax  = (3,  provided 
that  such  an  integer  exists.  In  this  formulation,  it  is  not  required  that  G be  a cyclic  group, 
and,  even  if  it  is,  it  is  not  required  that  a be  a generator  of  G.  This  problem  may  be  harder  to 
solve,  in  general,  than  GDLP.  However,  in  the  case  where  G is  a cyclic  group  (for  example 
if  G is  the  multiplicative  group  of  a finite  field)  and  the  order  of  a is  known,  it  can  be  easily 
recognized  whether  an  integer  x satisfying  ax  = (3  exists.  This  is  because  of  the  following 
fact:  if  G is  a cyclic  group,  a is  an  element  of  order  n in  G,  and  (3  G G,  then  there  exists 
an  integer  x such  that  ax  = (3  if  and  only  if  /3n  = 1 . 

3.55  Note  ( solving  the  DLP  in  a cyclic  group  G of  order  n is  in  essence  computing  an  isomor- 
phism between  G and  Z„)  Even  though  any  two  cyclic  groups  of  the  same  order  are  iso- 
morphic (that  is,  they  have  the  same  structure  although  the  elements  may  be  written  in  dif- 
ferent representations),  an  efficient  algorithm  for  computing  logarithms  in  one  group  does 
not  necessarily  imply  an  efficient  algorithm  for  the  other  group.  To  see  this,  consider  that 
every  cyclic  group  of  order  n is  isomorphic  to  the  additive  cyclic  group  Z„  , i.e.,  the  set  of 
integers  {0, 1,  2, . . . ,n  — 1}  where  the  group  operation  is  addition  modulo  n.  Moreover, 
the  discrete  logarithm  problem  in  the  latter  group,  namely,  the  problem  of  finding  an  inte- 
ger x such  that  ax  = b (mod  n ) given  a,  b € Zn,  is  easy  as  shown  in  the  following.  First 
note  that  there  does  not  exist  a solution  x if  d = gcd(a,  n)  does  not  divide  b (Fact  2.119). 
Otherwise,  if  d divides  b , the  extended  Euclidean  algorithm  (Algorithm  2.107)  can  be  used 
to  find  integers  s and  t such  that  as  + nt  = d.  Multiplying  both  sides  of  this  equation  by 
the  integer  b/d  gives  a(sb/d)  + n(tb/d)  = b.  Reducing  this  equation  modulo  n yields 
a(sb/d)  = b (mod  n ) and  hence  x = ( sb/d ) mod  n is  the  desired  (and  easily  obtainable) 
solution. 

The  known  algorithms  for  the  DLP  can  be  categorized  as  follows: 

1 . algorithms  which  work  in  arbitrary  groups,  e.g.,  exhaustive  search  ( §3.6.1),  the  baby- 
step  giant-step  algorithm  (§3.6.2),  Pollard’s  rho  algorithm  (§3.6.3); 

2.  algorithms  which  work  in  arbitrary  groups  but  are  especially  efficient  if  the  order  of 
the  group  has  only  small  prime  factors,  e.g.,  Pohlig-Hellman  algorithm  (§3.6.4);  and 

3.  the  index-calculus  algorithms  (§3.6.5)  which  are  efficient  only  in  certain  groups. 


3.6.1  Exhaustive  search 

The  most  obvious  algorithm  for  GDLP  (Definition  3.52)  is  to  successively  compute  a0,  a1, 
a2, . . . until  (3  is  obtained.  This  method  takes  0(n)  multiplications,  where  n is  the  order 
of  a,  and  is  therefore  inefficient  if  n is  large  (i.e.  in  cases  of  cryptographic  interest). 


3.6.2  Baby-step  giant-step  algorithm 

Let  m = \ 'n\,  where  n is  the  order  of  a.  The  baby-step  giant-step  algorithm  is  a time- 
memory  trade-off  of  the  method  of  exhaustive  search  and  is  based  on  the  following  observa- 
tion. If/3  = a®,  then  one  can  write  x = im  + j,  whereO  < i,j  < to.  Hence,  ax  = atm’af 
which  implies  /3(a~m )®  = of . This  suggests  the  following  algorithm  for  computing  x. 
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3.56  Algorithm  Baby-step  giant-step  algorithm  for  computing  discrete  logarithms 

INPUT:  a generator  a of  a cyclic  group  G of  order  n,  and  an  element  ft  e G. 

OUTPUT:  the  discrete  logarithm  x = loga  ft. 

1.  Set  m<—  [ /n\. 

2.  Construct  a table  with  entries  (j.  eft ) for  0 < j < m.  Sort  this  table  by  second 
component.  (Alternatively,  use  conventional  hashing  on  the  second  component  to 
store  the  entries  in  a hash  table;  placing  an  entry,  and  searching  for  an  entry  in  the 
table  takes  constant  time.) 

3.  Compute  a~m  and  set  j<—ft. 

4.  For  i from  0 to  m — 1 do  the  following: 

4.1  Check  if  7 is  the  second  component  of  some  entry  in  the  table. 

4.2  If  7 = oft  then  return(x  = im  + j). 

4.3  Set  7^—7  • oTm. 

Algorithm  3.56  requires  storage  for  0(  'n ) group  elements.  The  table  takes  0(  rn) 
multiplications  to  construct,  and  0(  Ti  lg  n)  comparisons  to  sort.  Having  constructed  this 
table,  step  4 takes  0(  n)  multiplications  and  0(  n)  table  look-ups.  Under  the  assump- 
tion that  a group  multiplication  takes  more  time  than  lg  n comparisons,  the  running  time  of 
Algorithm  3.56  can  be  stated  more  concisely  as  follows. 

3.57  Fact  The  running  time  of  the  baby-step  giant-step  algorithm  (Algorithm  3.56)  is  0{  'n) 
group  multiplications. 

3.58  Example  (baby-step  giant-step  algorithm  for  logarithms  in  Zj13)  Let  p = 113.  The  ele- 
ment a = 3 is  a generator  of  ZJ13  of  order  n = 112.  Consider  ft  = 57.  Then  log3  57  is 
computed  as  follows. 

1.  Set  m<-[  TI2]  = 11. 

2.  Construct  a table  whose  entries  are  (j,  oft  mod  p)  for  0 <j<  11: 


3.  Using  Algorithm  2.142,  compute  a 1 = 3 1 mod  113  = 38  and  then  compute 
a~m  = 3811  mod  113  = 58. 

4.  Next,  7 = fta~ml  mod  113  for  i = 0, 1,  2, . . . is  computed  until  a value  in  the 
second  row  of  the  table  is  obtained.  This  yields: 


i 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

7 = 57  • 58*  mod  113 

57 

29 

100 

37 

112 

55 

26 

39 

2 

3 

Finally,  since  ft  a 9m  = 3 = a1,  ft  = a100  and,  therefore,  log3  57  = 100.  □ 


3.59  Note  ( restricted  exponents ) In  order  to  improve  performance,  some  cryptographic  proto- 
cols which  use  exponentiation  in  Z*  select  exponents  of  a special  form,  e.g.  having  small 
Hamming  weight.  (The  Hamming  weight  of  an  integer  is  the  number  of  ones  in  its  binary 
representation.)  Suppose  that  p is  a /.’-hit  prime,  and  only  exponents  of  Hamming  weight  t 
are  used.  The  number  of  such  exponents  is  (J).  Algorithm  3.56  can  be  modified  to  search 
the  exponent  space  in  roughly  (jj2)  steps.  The  algorithm  also  applies  to  exponents  that  are 
restricted  in  certain  other  ways,  and  extends  to  all  finite  groups. 
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3.6.3  Pollard’s  rho  algorithm  for  logarithms 


Pollard’s  rho  algorithm  ( Algorithm  3.60)  for  computing  discrete  logarithms  is  a randomized 
algorithm  with  the  same  expected  running  time  as  the  baby-step  giant-step  algorithm  (Al- 
gorithm 3.56),  but  which  requires  a negligible  amount  of  storage.  For  this  reason,  it  is  far 
preferable  to  Algorithm  3.56  for  problems  of  practical  interest.  For  simplicity,  it  is  assumed 
in  this  subsection  that  G is  a cyclic  group  whose  order  n is  prime. 

The  group  G is  partitioned  into  three  sets  Si,  S2,  and  S3  of  roughly  equal  size  based 
on  some  easily  testable  property.  Some  care  must  be  exercised  in  selecting  the  partition;  for 
example,  1 ^ S2.  Define  a sequence  of  group  elements  xq,  x1;  x2,  . . . by  xq  = 1 and 


{0  ■ Xi,  if  Xj  € Si, 
xj,  if  Xi  e S2, 
a ■ Xi,  if  Xi  € S3, 


(3.2) 


for  i > 0.  This  sequence  of  group  elements  in  turn  defines  two  sequences  of  integers 
an . o 1 . «2-  . • • and  bo,  bi,  b2,  ■ ■ ■ satisfying  Xj  = aa' 0bi  for  i > 0;  ao  = 0,  60  = 0,  and  for 
i > 0, 


and 


di+l  ~ 


bi+ 1 — 


I— 1 

to 

w 

■+- 

2a j mod  n, 

if  Xj  G S2 

a,i  + 1 mod  n, 

if  Xj  G S3 

bi  + 1 mod  n, 

if  Xj  G Si, 

2bi  mod  n, 

if  Xj  G S2 . 

bi , 

if  Xj  G S3. 

(3.3) 


(3.4) 


Floyd's  cycle-finding  algorithm  (Note  3.8)  can  then  be  utilized  to  find  two  group  elements 
X*  and  X2i  such  that  Xj  = X2 j.  Hence  aUi0bi  = aa2if3b2i,  and  so  (3bi~b2i  = aa2i~ai. 
Taking  logarithms  to  the  base  a of  both  sides  of  this  last  equation  yields 


{bi  - b2i ) ■ loga  3 = (a2 i - aj)  (mod  n). 

Provided  bi  ^ b2i  (mod  n)  (note;  bi  = b2i  occurs  with  negligible  probability),  this  equa- 
tion can  then  be  efficiently  solved  to  determine  logQ  0. 


3.60  Algorithm  Pollard’s  rho  algorithm  for  computing  discrete  logarithms 

INPUT:  a generator  cr  of  a cyclic  group  G of  prime  order  n,  and  an  element  0 G G. 
OUTPUT:  the  discrete  logarithm  x = logQ  3. 

1.  Set  xq< — 1,  CLoi — 0,  boi — 0. 

2.  For  i = 1,2,...  do  the  following: 

2.1  Using  the  quantities  Xj_i,  aj_i,  bj_i,  and  x2i_2,  a2i-2,  b2i-2  computed  previ- 
ously, compute  Xj,  aj,  bi  and  x2i,  a2i,  b2i  using  equations  (3.2),  (3.3),  and  (3.4). 

2.2  If  Xj  = X2j,  then  do  the  following: 

Set  r<—  bi  — b2i  mod  n. 

If  r = 0 then  terminate  the  algorithm  with  failure;  otherwise,  compute 
x = r-1  (a2i  — a,i)  mod  n and  return(x). 


In  the  rare  case  that  Algorithm  3.60  terminates  with  failure,  the  procedure  can  be  re- 
peated by  selecting  random  integers  ao,  b 0 in  the  interval  [1,  n — 1],  and  starting  with  xo  = 
aa°0b°.  Example  3.61  with  artificially  small  parameters  illustrates  Pollard's  rho  algorithm. 
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3.61  Example  ( Pollard’s  rho  algorithmfor  logarithms  in  a subgroup  ofZ^83)  The  element  a = 
2 is  a generator  of  the  subgroup  G of  Z383  of  order  n = 191.  Suppose  [3  = 228.  Partition 
the  elements  of  G into  three  subsets  according  to  the  rule  x G Si  if  x = 1 (mod  3),  x £ S-i 
if  x = 0 (mod  3),  and  x € S3  if  x = 2 (mod  3).  Table  3.2  shows  the  values  of  xu  a,:,  hi, 
X‘2i , a-;,  , and  62,:  at  the  end  of  each  iteration  of  step  2 of  Algorithm  3.60.  Note  that  X14  = 
X28  = 144.  Finally,  compute  r = 614  — 62s  mod  191  = 125,  r-1  = 125-1  mod  191  = 
136,  and  r_1(o28  — 014)  mod  191  = 110.  Hence,  log2  228  = 110.  □ 


% 

Xi 

CLi 

h 

X2i 

0,2% 

&2i 

1 

228 

0 

1 

279 

0 

2 

2 

279 

0 

2 

184 

1 

4 

3 

92 

0 

4 

14 

1 

6 

4 

184 

1 

4 

256 

2 

7 

5 

205 

1 

5 

304 

3 

8 

6 

14 

1 

6 

121 

6 

18 

7 

28 

2 

6 

144 

12 

38 

8 

256 

2 

7 

235 

48 

152 

9 

152 

2 

8 

72 

48 

154 

10 

304 

3 

8 

14 

96 

118 

11 

372 

3 

9 

256 

97 

119 

12 

121 

6 

18 

304 

98 

120 

13 

12 

6 

19 

121 

5 

51 

14 

144 

12 

38 

144 

10 
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Table  3.2:  Intermediate  steps  of  Pollard's  rho  algorithm  in  Example  3.61. 


3.62  Fact  Let  G be  a group  of  order  n,  a prime.  Assume  that  the  function  / : G — > G de- 
fined by  equation  (3.2)  behaves  like  a random  function.  Then  the  expected  running  time  of 
Pollard’s  rho  algorithm  for  discrete  logarithms  in  G i s 0 ( ft)  group  operations.  Moreover, 
the  algorithm  requires  negligible  storage. 


3.6.4  Pohlig-Hellman  algorithm 

Algorithm  3.63  for  computing  logarithms  takes  advantage  of  the  factorization  of  the  order  n 
of  the  group  G.  Let  n = p^p^2  ■ ■ ■ be  the  prime  factorization  of  n.  If  x = loga  0,  then 
the  approach  is  to  determine  x%  — x mod  pf  for  1 < i < r,  and  then  use  Gauss’s  algorithm 
(Algorithm  2.121)  to  recover  x mod  n.  Each  integer  x,  is  determined  by  computing  the 
digits  Zo,  h,  ■ ■ ■ , lCi  1 in  turn  of  its  pi -ary  representation:  x%  = Zo  + ZiPi  + ■ ■ v+£ei-iPi<_1> 
where  0 < lj  < pi  — 1. 

To  see  that  the  output  of  Algorithm  3.63  is  correct,  observe  first  that  in  step  2.3  the 
order  of  a is  q.  Next,  at  iteration  j of  step  2.4,  7 = alo+liqJ'  . Hence, 

/3  = {0/j)n^qJ+1  = ,J  ;',J 

= (a”^+1 ) ^ — ^1  * 

= ypt1 1 hL-ige_1 

= (Q.n/9)iJ+-"+L-i9e_1_i  _ (a)lG 

the  last  equality  being  true  because  a has  order  q.  Hence,  logw/3  is  indeed  equal  to  lj. 
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3.63  Algorithm  Pohlig-Hellman  algorithm  for  computing  discrete  logarithms 

INPUT:  a generator  a of  a cyclic  group  G of  order  n,  and  an  element  f3  € G. 

OUTPUT:  the  discrete  logarithm  x = loga  f3. 

1.  Find  the  prime  factorization  of  n:  n = p'fpif  ■ ■ -p®r,  where  e,;  > 1. 

2.  For  i from  1 to  r do  the  following: 

( Compute  Xi  = lo  + hpi  + ■ ■ ■ + where  x*  = x mod  p ®‘) 

2.1  ( Simplify  the  notation ) Set  q^pi  and  e<—  e*. 

2.2  Set  j<—1  and  l-i<—  0. 

2.3  Compute  a<—  an^q. 

2.4  ( Compute  the  lj)  For  j from  0 to  e — 1 do  the  following: 

Compute  ' and  /3<—  (/3j~1)n/qJ+1 . 

Compute  lj<—  log^/3  (e.g.,  using  Algorithm  3.56;  see  Note  3.67(iii)). 

2.5  Set  xp — Iq  -)-  liq  + ■ • ■ + le-iqe  4. 

3.  Use  Gauss’s  algorithm  (Algorithm  2.121)  to  compute  the  integer  x,  0 < x < n — 1, 
such  that  x = x*  (mod  p ) for  1 < i < r. 

4.  Return(x). 


Example  3.64  illustrates  Algorithm  3.63  with  artificially  small  parameters. 

3.64  Example  ( Pohlig-Hellman  algorithm  for  logarithms  in  Z251)  Let  p = 251.  The  element 
a = 71  is  a generator  of  Z^51  of  order  n = 250.  Consider  /3  = 210.  Then  x = log71  210 
is  computed  as  follows. 

1.  The  prime  factorization  of  n is  250  = 2 ■ 53. 

2.  (a)  (Compute  xi  = x mod  2) 

Compute  a = <W2  mod  p = 250  and  (3  = (3n/2  mod  p = 250.  Then  xi  = 
l°g250  250  = 1. 

(b)  (Compute  X2  = x mod  53  = lo  + l\5  + h52) 

i.  Compute  a = a"/5  mod  p = 20. 

ii.  Compute  7 = 1 and  (3  = ((3"f^1)n^5  mod  p = 149.  Using  exhaustive 
search,5  compute  lo  = log20  1 49  = 2. 

iii.  Compute  7 = 7 a2  modp  = 21  and  [3  = {(3r)~1)n^25  modp  = 113. 
Using  exhaustive  search,  compute  l\  = log20  113  = 4. 

iv.  Compute  7 = 7a4,5  modp  = 115  and  (3  = (P"/^1)^^1^125  modp  = 
149.  Using  exhaustive  search,  compute  I2  = log20  149  = 2. 

Hence,  X2  = 2 + 4 • 5 + 2 ■ 52  = 72. 

3.  Finally,  solve  the  pair  of  congruences  x = 1 (mod  2),  x = 72  (mod  125)  to  get 

x = log71  210  = 197.  □ 

3.65  Fact  Given  the  factorization  of  n , the  running  time  of  the  Pohlig-Hellman  algorithm  (Al- 
gorithm 3.63)  is  0(X)i= 1 e% (lg  n + 'Pi))  group  multiplications. 

3.66  Note  ( effectiveness  of  Pohlig-Hellman)  Fact  3.65  implies  that  the  Pohlig-Hellman  algo- 
rithm is  efficient  only  if  each  prime  divisor  p*  of  n is  relatively  small;  that  is,  if  n is  a smooth 

Exhaustive  search  is  preferable  to  Algorithm  3.56  when  the  group  is  very  small  (here  the  order  of  ci  is  5). 
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integer  (Definition  3.13).  An  example  of  a group  in  which  the  Pohlig-Hellman  algorithm 
is  effective  follows.  Consider  the  multiplicative  group  Z*  where  p is  the  107-digit  prime: 

p = 227088231986781039743145181950291021585250524967592855 
96453269189798311427475159776411276642277139650833937. 

The  order  of  Z*  is  n = p — 1 = 24  • 104729s  ■ 224737s  • 3503774.  Since  the  largest  prime 
divisor  of  p — 1 is  only  350377,  it  is  relatively  easy  to  compute  logarithms  in  this  group 
using  the  Pohlig-Hellman  algorithm. 

3.67  Note  ( miscellaneous ) 

(i)  If  n is  a prime,  then  Algorithm  3.63  (Pohlig-Hellman)  is  the  same  as  baby-step  giant- 
step  (Algorithm  3.56). 

(ii)  In  step  1 of  Algorithm  3.63,  a factoring  algorithm  which  finds  small  factors  first  (e.g.. 
Algorithm  3.9)  should  be  employed;  if  the  order  n is  not  a smooth  integer,  then  Al- 
gorithm 3.63  is  inefficient  anyway. 

(iii)  The  storage  required  for  Algorithm  3.56  in  step  2.4  can  be  eliminated  by  using  instead 
Pollard’s  rho  algorithm  (Algorithm  3.60). 


3.6.5  Index-calculus  algorithm 

The  index-calculus  algorithm  is  the  most  powerful  method  known  for  computing  discrete 
logarithms.  The  technique  employed  does  not  apply  to  all  groups,  but  when  it  does,  it  of- 
ten gives  a subexponential-time  algorithm.  The  algorithm  is  first  described  in  the  general 
setting  of  a cyclic  group  G (Algorithm  3.68).  Two  examples  are  then  presented  to  illustrate 
how  the  index-calculus  algorithm  works  in  two  kinds  of  groups  that  are  used  in  practical 
applications,  namely  z;  (Example  3.69)  and  F^m  (Example  3.70). 

The  index-calculus  algorithm  requires  the  selection  of  a relatively  small  subset  S of 
elements  of  G,  called  the  factor  base,  in  such  a way  that  a significant  fraction  of  elements 
of  G can  be  efficiently  expressed  as  products  of  elements  from  S.  Algorithm  3.68  proceeds 
to  precompute  a database  containing  the  logarithms  of  all  the  elements  in  S,  and  then  reuses 
this  database  each  time  the  logarithm  of  a particular  group  element  is  required. 

The  description  of  Algorithm  3.68  is  incomplete  for  two  reasons.  Firstly,  a technique 
for  selecting  the  factor  base  S is  not  specified.  Secondly,  a method  for  efficiently  generating 
relations  of  the  form  (3.5)  and  (3.7)  is  not  specified.  The  factor  base  S must  be  a subset  of 
G that  is  small  (so  that  the  system  of  equations  to  be  solved  in  step  3 is  not  too  large),  but 
not  too  small  (so  that  the  expected  number  of  trials  to  generate  a relation  (3.5)  or  (3.7)  is 
not  too  large).  Suitable  factor  bases  and  techniques  for  generating  relations  are  known  for 
some  cyclic  groups  including  Z*  (see  §3.6.5(i))  and  Fjm  (see  §3. 6.5(h)),  and,  moreover,  the 
multiplicative  group  F*  of  a general  finite  field  Fg . 


3.68  Algorithm  Index-calculus  algorithm  for  discrete  logarithms  in  cyclic  groups 

INPUT:  a generator  a of  a cyclic  group  G of  order  n,  and  an  element  (3  E G. 

OUTPUT:  the  discrete  logarithm  y = loga  (3. 

1.  (Select  a factor  base  S)  Choose  a subset  S = {pi,p2,...  ,pt.}  of  G such  that  a “sig- 
nificant proportion”  of  all  elements  in  G can  be  efficiently  expressed  as  a product  of 
elements  from  S. 

2.  ( Collect  linear  relations  involving  logarithms  of  elements  in  S) 
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2.1  Select  a random  integer  k,  0 < k < n — 1,  and  compute  afc. 

2.2  Try  to  write  ak  as  a product  of  elements  in  S: 

t. 

a*  =11#,  Q>0.  (3.5) 

i=  1 

If  successful,  take  logarithms  of  both  sides  of  equation  (3.5)  to  obtain  a linear 
relation 

t 

k = ^2  Gi  loga  pi  (mod  n).  (3.6) 

i=  1 

2.3  Repeat  steps  2.1  and  2.2  until  t + c relations  of  the  form  (3.6)  are  obtained  (c 
is  a small  positive  integer,  e.g.  c = 10,  such  that  the  system  of  equations  given 
by  the  t + c relations  has  a unique  solution  with  high  probability). 

3.  ( Find  the  logarithms  of  elements  in  S)  Working  modulo  n,  solve  the  linear  system 
of  t + c equations  (in  t unknowns)  of  the  form  (3.6)  collected  in  step  2 to  obtain  the 
values  of  logap.j,  1 < i <t. 

4.  ( Compute  y) 

4.1  Select  a random  integer  k,  0 < k < n — 1,  and  compute  ft  • ak. 

4.2  Try  to  write  ft  • ak  as  a product  of  elements  in  S: 

t 

ft-ak  = l[pf,  d,  > 0.  (3.7) 

i—1 

If  the  attempt  is  unsuccessful  then  repeat  step  4.1.  Otherwise,  taking  logarithms 
of  both  sides  of  equation  (3.7)  yields  loga  ft  = (J2i=i  l°ga  Pi  ~ &)  m°d  n\ 
thus,  compute  y = ( d,  loga  pi  — k)  mod  n and  return(r/). 


(i)  Index-calculus  algorithm  in  K 

For  the  held  1p,  p a prime,  the  factor  base  S can  be  chosen  as  the  first  t prime  numbers.  A 
relation  (3.5)  is  generated  by  computing  ak  mod  p and  then  using  trial  division  to  check 
whether  this  integer  is  a product  of  primes  in  S.  Example  3.69  illustrates  Algorithm  3.68 
in  Z*  on  a problem  with  artificially  small  parameters. 

3.69  Example  (Algorithm  3.68  for  logarithms  in  Z^g)  Let  p = 229.  The  element  a = 6 is 

a generator  of  Z^g  of  order  n = 228.  Consider  ft  — 13.  Then  log6  13  is  computed  as 

follows,  using  the  index-calculus  technique. 

1.  The  factor  base  is  chosen  to  be  the  first  5 primes:  S = {2, 3,  5,  7, 11}. 

2.  The  following  six  relations  involving  elements  of  the  factor  base  are  obtained  (un- 
successful attempts  are  not  shown): 

6100  mod  229  = 180  = 22  ■ 32  • 5 
618  mod  229  = 176  = 24  • 11 
612  mod  229  = 165  = 3-5-  11 
662  mod  229  = 154  = 2-7  - 11 
6143  mod  229  = 198  = 2 • 32  • 11 

6206  mod  229  = 210  = 2 ■ 3 • 5 ■ 7. 
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These  relations  yield  the  following  six  equations  involving  the  logarithms  of  ele- 
ments in  the  factor  base: 

100  = 2 log6  2 + 2 log6  3 + logg  5 (mod  228) 

18  = 4 logg  2 + logg  1 1 (mod  228) 

12  = logg  3 + logg  5 + logg  1 1 (mod  228) 

62  = logg  2 + logg  7 + logg  1 1 (mod  228) 

143  = logg  2 + 2 logg  3 + logg  11  (mod  228) 

206  = logg  2 + logg  3 + logg  5 + logg  7 (mod  228). 

3.  Solving  the  linear  system  of  six  equations  in  five  unknowns  (the  logarithms  x,  — 
logg  Pi)  yields  the  solutions  log6  2 = 21,  log6  3 = 208,  log6  5 = 98,  log6  7 = 107, 
and  logg  11  = 162. 

4.  Suppose  that  the  integer  k = 77  is  selected.  Since  f3  ■ ak  = 13-6"  mod  229  = 
147  = 3 ■ 72,  it  follows  that 

logg  13  = (logg  3 + 2 logg  7 — 77)  mod  228  = 117.  □ 

(ii)  Index-calculus  algorithm  in 

The  elements  of  the  finite  field  F-;m  are  represented  as  polynomials  in  Z2[x]  of  degree  at 
most  m — 1,  where  multiplication  is  performed  modulo  a fixed  irreducible  polynomial  /(x) 
of  degree  m in  Z2  [ x ] (see  §2.6).  The  factor  base  S can  be  chosen  as  the  set  of  all  irreducible 
polynomials  in  Z2  [x]  of  degree  at  most  some  prescribed  bound  b.  A relation  (3.5)  is  gener- 
ated by  computing  ak  mod  /(x)  and  then  using  trial  division  to  check  whether  this  poly- 
nomial is  a product  of  polynomials  in  S.  Example  3.70  illustrates  Algorithm  3.68  in  F.)„, 
on  a problem  with  artificially  small  parameters. 

3.70  Example  ( Algorithm  3.68  for  logarithms  in  F27)  The  polynomial  /(x)  = x7  + x + 1 is 
irreducible  over  Z2.  Hence,  the  elements  of  the  finite  field  F27  of  order  128  can  be  repre- 
sented as  the  set  of  all  polynomials  in  Z2  [x]  of  degree  at  most  6,  where  multiplication  is 
performed  modulo  /(x).  The  order  of  F27  is  n = 2'  — 1 = 127,  and  a = x is  a generator 
of  F27 . Suppose  f3  = x4  + x3  + x2  + x + 1 . Then  y = log,,.  /3  can  be  computed  as  follows, 
using  the  index-calculus  technique. 

1 . The  factor  base  is  chosen  to  be  the  set  of  all  irreducible  polynomials  in  Z2  [x]  of  degree 
at  most  3:  S = {x,  x + 1,  x2  + x + 1,  x3  + x + 1,  x3  + x2  + 1}. 

2.  The  following  five  relations  involving  elements  of  the  factor  base  are  obtained  (un- 
successful attempts  are  not  shown): 


x18 

mod 

f(x) 

= x6 

+ 

x4 

= x4(x  + l)2 

x105 

mod 

/(+> 

= x6 

+ 

x5 

+ x4 

+ X 

= x(x  + l)2(x3  + X2 

+ 

1) 

x72 

mod 

f(x ) 

= x6 

+ 

x5 

+ x3 

+ x2 

= x2(x  + l)2(x2  + X 

+ 

1) 

x45 

mod 

f(x) 

= x5 

+ 

x2 

-b  x + 1 

= (x  + 1)  (x3  + X + 

1) 

x121 

mod 

f(x ) 

= x6 

+ 

x5 

+ X4 

+ X3  + X2  + X + 1 

= (x3  + X + l)(x3  + 

x2 

+1) 

These  relations  yield  the  following  five  equations  involving  the  logarithms  of  ele- 
ments in  the  factor  base  (for  convenience  of  notation,  let  pi  = log^,  x,  P2  = loga,(x+ 
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1),  P3  = logx(x2  + x + l),p4  = log^x3  + x + 1),  andp5  = log,j,(x3  + x2  + 1)): 


18 

= 4 pi  + 2p2 

(mod  127) 

105 

= pi  + 2 P2  +P5  (mod  127) 

72 

III 

(s 

+ 

to 

+ p3  (mod  127) 

45 

= 2p2  + Pi 

(mod  127) 

121 

= Pa  + P5 

(mod  127). 

3.  Solving  the  linear  system  of  five  equations  in  five  unknowns  yields  the  values  p1  = 1, 
P2  = 7,  P3  = 56,  P4  = 31,  and  p5  = 90. 

4.  Suppose  k = 66  is  selected.  Since 

/ 3ak  = (x4  + x3  + x2  + x + l)x66  mod  f{x)  = x5  + x3  + x = x(x2  + x + l)2, 

it  follows  that 

loga,(x4  + x3  + x2  + x + 1)  = (p!  + 2p3  — 66)  mod  127  = 47.  □ 

3.71  Note  (running  time  of  Algorithm  3.68)  To  optimize  the  running  time  of  the  index-calculus 
algorithm,  the  size  t,  of  the  factor  base  should  be  judiciously  chosen.  The  optimal  selection 
relies  on  knowledge  concerning  the  distribution  of  smooth  integers  in  the  interval  [1,  p — 1] 
for  the  case  of  Z*,  and  for  the  case  of  on  the  distribution  of  smooth  polynomials  (that 
is,  polynomials  all  of  whose  irreducible  factors  have  relatively  small  degrees)  among  poly- 
nomials in  F2  [x]  of  degree  less  than  m.  With  an  optimal  choice  of  t,  the  index-calculus  al- 
gorithm as  described  above  for  Z*  and  Fj)™  has  an  expected  running  time  of  Lq  [-|.  c]  where 
q = p or  q = 2™,  and  c > 0 is  a constant. 

3.72  Note  (fastest  algorithms  known  for  discrete  logarithms  in  Z*  and  Ffn)  Currently,  the  best 

algorithm  known  for  computing  logarithms  in  is  a variation  of  the  index-calculus  algo- 

rithm called  Coppersmith ’s  algorithm,  with  an  expected  running  time  of  [|,  c]  for  some 
constant  c < 1.587.  The  best  algorithm  known  for  computing  logarithms  in  Z*  is  a varia- 
tion of  the  index-calculus  algorithm  called  the  number  field  sieve,  with  an  expected  running 
time  of  Lp\f:  1.923].  The  latest  efforts  in  these  directions  are  surveyed  in  the  Notes  section 
(§3.12). 

3.73  Note  (parallelization  of  the  index-calculus  algorithm) 

(i)  For  the  optimal  choice  of  parameters,  the  most  time-consuming  phase  of  the  index- 
calculus  algorithm  is  usually  the  generation  of  relations  involving  factor  base  loga- 
rithms (step  2 of  Algorithm  3.68).  The  work  for  this  stage  can  be  easily  distributed 
among  a network  of  processors  by  simply  having  the  processors  search  for  relations 
independently  of  each  other.  The  relations  generated  are  collected  by  a central  pro- 
cessor. When  enough  relations  have  been  generated,  the  corresponding  system  of  lin- 
ear equations  can  be  solved  (step  3 of  Algorithm  3.68)  on  a single  (possibly  parallel) 
computer. 

(ii)  The  database  of  factor  base  logarithms  need  only  be  computed  once  for  a given  fi- 
nite field.  Relative  to  this,  the  computation  of  individual  logarithms  (step  4 of  Algo- 
rithm 3.68)  is  considerably  faster. 
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3.6.6  Discrete  logarithm  problem  in  subgroups  of  K 

The  discrete  logarithm  problem  in  subgroups  of  Z*  has  special  interest  because  its  presumed 
intractability  is  the  basis  for  the  security  of  the  U.S.  Government  NIST  Digital  Signature 
Algorithm  (§11.5.1),  among  other  cryptographic  techniques. 

Let  p be  a prime  and  q a prime  divisor  ofp  1.  Let  G be  the  unique  cyclic  subgroup 
of  Z*  of  order  q,  and  let  a be  a generator  of  G.  Then  the  discrete  logarithm  problem  in  G is 
the  following:  given  p,  q,  a , and  3 G G,  find  the  unique  integer  x,  0 < x < q — 1,  such  that 
ax  = f3  (mod  p).  The  powerful  index-calculus  algorithms  do  not  appear  to  apply  directly 
in  G.  That  is,  one  needs  to  apply  the  index-calculus  algorithm  in  the  group  Z*  itself  in  order 
to  compute  logarithms  in  the  smaller  group  G.  Consequently,  there  are  two  approaches  one 
could  take  to  computing  logarithms  in  G: 

1.  Use  a “square-root”  algorithm  directly  in  G,  such  as  Pollard's  rho  algorithm  (Algo- 
rithm 3.60).  The  running  time  of  this  approach  is  0(  'q  'j. 

2.  Let  7 be  a generator  of  Z*,  and  let  l = (p  — l)/q.  Use  an  index-calculus  algorithm 
in  Z*  to  find  integers  y and  z such  that  a = yv  and  (3  = yz . Then  x = loga  j3  = 
{z/l){y  /Iffi1  mod  q.  (Since  y and  z are  both  divisible  by  l,  y/l  and  zjl  are  indeed 
integers.)  The  running  time  of  this  approach  is  Lp[^,c]  if  the  number  field  sieve  is 
used. 

Which  of  the  two  approaches  is  faster  depends  on  the  relative  size  of  'q  and  Lp  [ 4 , c . 


3.7  The  Diffie-Hellman  problem 

The  Diffie-Hellman  problem  is  closely  related  to  the  well-studied  discrete  logarithm  prob- 
lem (DLP)  of  §3.6.  It  is  of  significance  to  public-key  cryptography  because  its  apparent  in- 
tractability forms  the  basis  for  the  security  of  many  cryptographic  schemes  including  Diffie- 
Hellman  key  agreement  and  its  derivatives  (§12.6),  and  ElGamal  public-key  encryption 
(§8.4). 

3.74  Definition  The  Diffie-Hellman  problem  (DHP)  is  the  following:  given  a prime  p,  a gen- 
erator a of  Z*,  and  elements  aa  mod  p and  ab  mod  p,  find  aab  mod  p. 

3.75  Definition  The  generalized  Diffie-Hellman  problem  (GDHP)  is  the  following:  given  a fi- 
nite cyclic  group  G,  a generator  a of  G,  and  group  elements  q“  and  ab,  find  aab. 

Suppose  that  the  discrete  logarithm  problem  in  Z*  could  be  efficiently  solved.  Then 
given  a,  p,  aa  mod  p and  ab  mod  p,  one  could  first  find  a from  a , p,  and  aa  mod  p by 
solving  a discrete  logarithm  problem,  and  then  compute  ( ab)a  = aab  mod  p.  This  estab- 
lishes the  following  relation  between  the  Diffie-Hellman  problem  and  the  discrete  logarithm 
problem. 

3.76  Fact  DHP  <p  DLP.  That  is,  DHP  polytime  reduces  to  the  DLP.  More  generally,  GDHP 
<P  GDLP. 

The  question  then  remains  whether  the  GDLP  and  GDHP  are  computationally  equiv- 
alent. This  remains  unknown;  however,  some  recent  progress  in  this  regard  is  summarized 
in  Fact  3.77.  Recall  that  (p  is  the  Euler  phi  function  (Definition  2.100),  and  an  integer  is 
.B-smooth  if  all  its  prime  factors  are  < B (Definition  3.13). 
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3.77  Fact  ( known  equivalences  between  GDHP  and  GDLP ) 


(i)  Let  p be  a prime  where  the  factorization  of  p — 1 is  known.  Suppose  also  that  (p(p  1) 
is  5-smooth,  where  B = 0((lnp)c)  for  some  constant  c.  Then  the  DHP  and  DLP  in 
Z*  are  computationally  equivalent. 

(ii)  More  generally,  let  G be  a finite  cyclic  group  of  order  n where  the  factorization  of 
n is  known.  Suppose  also  that  4>(n)  is  5-smooth,  where  5 = 0((1iitz)c)  for  some 
constant  c.  Then  the  GDHP  and  GDLP  in  G are  computationally  equivalent. 

(iii)  Let  G be  a finite  cyclic  group  of  order  n where  the  factorization  of  n is  known.  If  for 
each  prime  divisor  p of  n either  p — 1 or  p + 1 is  5-smooth,  where  5 = 0((ln  n)c ) 
for  some  constant  c,  then  the  GDHP  and  GDLP  in  G are  computationally  equivalent. 


3.8  Composite  moduli 

The  group  of  units  of  Zn.  namely  Z* , has  been  proposed  for  use  in  several  cryptographic 
mechanisms,  including  the  key  agreement  protocols  of  Yacobi  and  McCurley  (see  §12.6 
notes  on  page  538)  and  the  identification  scheme  of  Girault  (see  §10.4  notes  on  page  423). 
There  are  connections  of  cryptographic  interest  between  the  discrete  logarithm  and  Diffie- 
Hellman  problems  in  (cyclic  subgroups  of)  Z* , and  the  problem  of  factoring  n.  This  section 
summarizes  the  results  known  along  these  lines. 

3.78  Fact  Let  n be  a composite  integer.  If  the  discrete  logarithm  problem  in  Z*  can  be  solved 
in  polynomial  time,  then  n can  be  factored  in  expected  polynomial  time. 

In  other  words,  the  discrete  logarithm  problem  in  Z*  is  at  least  as  difficult  as  the  prob- 
lem of  factoring  n.  Fact  3.79  is  a partial  converse  to  Fact  3.78  and  states  that  the  discrete 
logarithm  in  Z*  is  no  harder  than  the  combination  of  the  problems  of  factoring  n and  com- 
puting discrete  logarithms  in  Z*  for  each  prime  factor  p of  n. 

3.79  Fact  Let  n be  a composite  integer.  The  discrete  logarithm  problem  in  Z*  polytime  reduces 
to  the  combination  of  the  integer  factorization  problem  and  the  discrete  logarithm  problem 
in  Z*  for  each  prime  factor  p of  n. 

Fact  3.80  states  that  the  Diffie-Hellman problem  in  Z*  is  at  least  as  difficult  as  the  prob- 
lem of  factoring  n. 

3.80  Fact  Let  n = pq  where  p and  q are  odd  primes.  If  the  Diffie-Hellman  problem  in  Z*  can 
be  solved  in  polynomial  time  for  a non-negligible  proportion  of  all  bases  a (E  Z* , then  n 
can  be  factored  in  expected  polynomial  time. 


3.9  Computing  individual  bits 

While  the  discrete  logarithm  problem  in  Z*  (§3.6),  the  RSA  problem  (§3.3),  and  the  problem 
of  computing  square  roots  modulo  a composite  integer  n (§3.5.2)  appear  to  be  intractable, 
when  the  problem  parameters  are  carefully  selected,  it  remains  possible  that  it  is  much  eas- 
ier to  compute  some  partial  information  about  the  solution,  for  example,  its  least  signifi- 
cant bit.  It  turns  out  that  while  some  bits  of  the  solution  to  these  problems  are  indeed  easy 
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to  compute,  other  bits  are  equally  difficult  to  compute  as  the  entire  solution.  This  section 
summarizes  the  results  known  along  these  lines.  The  results  have  applications  to  the  con- 
struction of  probabilistic  public-key  encryption  schemes  (§8.7)  and  pseudorandom  bit  gen- 
eration (§5.5). 

Recall  (Definition  1.12)  that  a function  / is  called  a one-way  function  if  f(x)  is  easy 
to  compute  for  all  x in  its  domain,  but  for  essentially  all  y in  the  range  of  /,  it  is  computa- 
tionally infeasible  to  find  any  x such  that  /(x)  — y. 

Three  (candidate)  one-way  functions 

Although  no  proof  is  known  for  the  existence  of  a one-way  function,  it  is  widely  believed 
that  one-way  functions  do  exist  (cf.  Remark  9.12).  The  following  are  candidate  one-way 
functions  (in  fact,  one-way  permutations)  since  they  are  easy  to  compute,  but  their  inver- 
sion requires  the  solution  of  the  discrete  logarithm  problem  in  Z*,  the  RSA  problem,  or  the 
problem  of  computing  square  roots  modulo  n,  respectively: 

1 . exponentiation  modulo  p.  Let  p he  a prime  and  let  a be  a generator  of  Z*.  The  func- 
tion is  / : Z*  — > Z*  defined  as  /(x)  = ax  mod  p. 

2.  RSA  function.  Let  p and  q be  distinct  odd  primes,  n = pq,  and  let  e be  an  integer 
such  that  gcd(e,  (p  — 1 )(q  — 1))  = 1.  The  function  is  / : Z„  — Z„  defined  as 
/(x)  = xe  mod  n. 

3.  Rabin  function.  Let  n = pq,  where  p and  q are  distinct  primes  each  congruent  to 
3 modulo  4.  The  function  is  / : Qn  — > Qn  defined  as  /(x)  = x2  mod  n.  (Re- 
call from  Fact  2.160  that  / is  a permutation,  and  from  Fact  3.46  that  inverting  /, 
i.e.,  computing  principal  square  roots,  is  difficult  assuming  integer  factorization  is 
intractable.) 

The  following  definitions  are  used  in  §3.9.1,  3.9.2,  and  3.9.3. 

3.81  Definition  Let  / : S — > S be  a one-way  function,  where  S'  is  a finite  set.  A Boolean 
predicate  B : S — > (0, 1}  is  said  to  be  a hard  predicate  for  / if: 

(i)  B(x)  is  easy  to  compute  given  x € S;  and 

(ii)  an  oracle  which  computes  B(x)  correctly  with  non-negligible  advantage6  given  only 
/(x)  (where  x £ S)  can  be  used  to  invert  / easily. 

Informally,  ii  is  a hard  predicate  for  the  one-way  function  / if  determining  the  single 
bit  B(  x)  of  information  about  x,  given  only  /(x),  is  as  difficult  as  inverting  / itself. 

3.82  Definition  Let  / : S — > S be  a one-way  function,  where  S is  a finite  set.  A fc-bit  predi- 
cate B™  : S — \ {0,  l}fe  is  said  to  be  a hard  k-bit  predicate  for  / if: 

(i)  B^  (x)  is  easy  to  compute  given  x £ S;  and 

(ii)  for  every  Boolean  predicate  B : {0,  l}fc  — > {0, 1},  an  oracle  which  computes 
B(B (x))  correctly  with  non-negligible  advantage  given  only  f(x)  (where  x £ S) 
can  be  used  to  invert  / easily. 

If  such  a B^  exists,  then  / is  said  to  hide  k bits,  or  the  k bits  are  said  to  be  simultaneously 
secure. 

Informally,  B[k)  is  a hard  fc-bit  predicate  for  the  one-way  function  / if  determining  any 
partial  information  whatsoever  about  B ^ (x),  given  only  /(x),  is  as  difficult  as  inverting 
/ itself. 


6In  Definitions  3.81  and  3.82,  the  probability  is  taken  over  all  choices  of  x £ S'  and  random  coin  tosses  of  the 
oracle. 
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3.9.1  The  discrete  logarithm  problem  in  Z*  — individual  bits 

Let  p be  an  odd  prime  and  a a generator  of  Z* . Assume  that  the  discrete  logarithm  problem 
in  Z*  is  intractable.  Let  j3  € Z*,  and  let  x = loga  /?.  Recall  from  Fact  2.135  that  (3  is 
a quadratic  residue  modulo  p if  and  only  if  x is  even.  Hence,  the  least  significant  bit  of 
x is  equal  to  (1  — (^))/2,  where  the  Legendre  symbol  (J)  can  be  efficiently  computed 
(Algorithm  2.149).  More  generally,  the  following  is  true. 


3.83  Fact  Let  p be  an  odd  prime,  and  let  a be  a generator  of  Z*.  Suppose  that  p — 1 = 2 st, 
where  t is  odd.  Then  there  is  an  efficient  algorithm  which,  given  /3  £ Z*,  computes  the  s 
least  significant  bits  of  x = loga  fj. 


3.84  Fact  Let  p be  a prime  and  a a generator  of  Z* . Define  the  predicate  B:Z;  -^{0,l}by 


B 


0, 

1, 


if  1 < x < (p-  l)/2, 
if  (p  — l)/2  < x < p — 1. 


Then  B is  a hard  predicate  for  the  function  of  exponentiation  modulo  p.  In  other  words, 
given  p,  a,  and  [3,  computing  the  single  bit  B(x)  of  the  discrete  logarithm  x = loga  (3  is  as 
difficult  as  computing  the  entire  discrete  logarithm. 


3.85  Fact  Let  p be  a prime  and  a a generator  of  Z*.  Let  k = 0(lg  lg p)  be  an  integer.  Let  the 
interval  [1 , p — 1]  be  partitioned  into  2k  intervals  Iq  , I\ , . . . , I2fc  - i of  roughly  equal  lengths. 
Define  the  fc-bit  predicate  B^  : Z*  — > {0,  l}fe  by  B^k\x)  = j if  x £ Ip  Then  B ^ is 
a hard  fc-bit  predicate  for  the  function  of  exponentiation  modulo  p. 


3.9.2  The  RSA  problem  — individual  bits 

Let  n be  a product  of  two  distinct  odd  primes  p and  q,  and  let  e be  an  integer  such  that 
gcd(e,  (p  — l)(q  — 1))  = 1.  Given  n,  e,  and  c = xe  mod  n (for  some  x £ Zn),  some 
information  about  x is  easily  obtainable.  For  example,  since  e is  an  odd  integer, 


and  hence  the  single  bit  of  information  (-)  can  be  obtained  simply  by  computing  the  Jacobi 
symbol  (Algorithm  2.149).  There  are,  however,  other  bits  of  information  about  x that 
are  difficult  to  compute,  as  the  next  two  results  show. 

3.86  Fact  Define  the  predicate  B : Z„  — > {0, 1}  by  B(x)  = x mod  2;  that  is,  B(x)  is  the 
least  significant  bit  of  x.  Then  B is  a hard  predicate  for  the  RSA  function  (see  page  115). 

3.87  Fact  Let  k = 0(lg  lg  n)  be  an  integer.  Define  the  fc-bit  predicate  B ^ : Zn  — > {0,  l}fc 
by  B^  (x)  = x mod  2k . That  is,  B ^ (x)  consists  of  the  k least  significant  bits  of  x.  Then 
B<k'1  is  a hard  fc-bit  predicate  for  the  RSA  function. 

Thus  the  RSA  function  has  lg  lg  n simultaneously  secure  bits. 
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3.9.3  The  Rabin  problem  — individual  bits 

Let  n = pq,  where  p and  q are  distinct  primes  each  congruent  to  3 modulo  4. 

3.88  Fact  Define  the  predicate  B : Qn  — > {0, 1}  by  B{x)  = x mod  2;  that  is,  B(x)  is  the 
least  significant  bit  of  the  quadratic  residue  x.  Then  B is  a hard  predicate  for  the  Rabin 
function  (see  page  115). 

3.89  Fact  Let  k = O(lglgn)  be  an  integer.  Define  the  &-bit  predicate  B(k>  : Qn  — i {0, 1 } k 
by  Bl'k\x)  = x mod  2k . That  is,  B^k\x)  consists  of  the  k least  significant  bits  of  the 
quadratic  residue  x.  Then  is  a hard  fo-bit  predicate  for  the  Rabin  function. 

Thus  the  Rabin  function  has  lg  lg  n simultaneously  secure  bits. 


3.10  The  subset  sum  problem 

The  difficulty  of  the  subset  sum  problem  was  the  basis  for  the  (presumed)  security  of  the 
first  public-key  encryption  scheme,  called  the  Merkle-Hellman  knapsack  scheme  (§8.6.1). 

3.90  Definition  The  subset  sum  problem (SUBSET-SUM)  is  the  following:  given  a set  {ai,  a^, 

. . . . an } of  positive  integers,  called  a knapsack  set , and  a positive  integer  s,  determine 
whether  or  not  there  is  a subset  of  the  a3  that  sum  to  s.  Equivalently,  determine  whether 
or  not  there  exist  Xi  G {0, 1},  1 < i < n,  such  that  = s- 

The  subset  sum  problem  above  is  stated  as  a decision  problem.  It  can  be  shown  that 
the  problem  is  computationally  equivalent  to  its  computational  version  which  is  to  actually 
determine  the  x,  such  that  = s,  provided  that  such  x,  exist.  Fact  3.91  provides 

evidence  of  the  intractability  of  the  subset  sum  problem. 

3.91  Fact  The  subset  sum  problem  is  NP-complete.  The  computational  version  of  the  subset 
sum  problem  is  NP-hard  (see  Example  2.74). 

Algorithms  3.92  and  3.94  give  two  methods  for  solving  the  computational  version  of 
the  subset  sum  problem;  both  are  exponential-time  algorithms.  Algorithm  3.94  is  the  fastest 
method  known  for  the  general  subset  sum  problem. 


3.92  Algorithm  Naive  algorithm  for  subset  sum  problem 

INPUT:  a set  of  positive  integers  {01,02, . . . , an}  and  a positive  integer  s. 
OUTPUT:  Xj  e {0, 1},  1 < i < n,  such  that  X^Li  = s’  provided  such  x,  exist. 

1.  For  each  possible  vector  {x\,X2,  ■ • • , xn)  e (Z2)"  do  the  following: 

1.1  Compute  l = a,!',;. 

1.2  If  l = s then  return(a  solution  is  (xi,X2,  ■ ■ ■ , xn)). 

2.  Return! no  solution  exists). 


3.93  Fact  Algorithm  3.92  takes  0( 2n)  steps  and,  hence,  is  inefficient. 
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3.94  Algorithm  Meet-in-the-middle  algorithm  for  subset  sum  problem 

INPUT:  a set  of  positive  integers  {ai,  a-> . . . . , an  } and  a positive  integer  s. 

OUTPUT:  Xi  G {0, 1},  1 < i < n,  such  that  X^Li  a>x>  = A provided  such  x,  exist. 

1.  Set  t4—  [n/2\ . 

2.  Construct  a table  with  entries  (HXi,  (xi,  X2,  , xt))  for  (xi,  X2,  ■ ■ ■ ,xt)  G 

(Z2 Y-  Sort  this  table  by  first  component. 

3.  For  each  (xt+i,xt+2,  ■ ■ ■ , xn)  G (Z2)"_t,  do  the  following: 

3.1  Compute  l = s — Yv-t  1 a''x>  anc*  check,  using  a binary  search,  whether  I is 
the  first  component  of  some  entry  in  the  table. 

3.2  If  l = Yh=i  aixi  then  return(a  solution  is  (xi, X2,  ■ ■ ■ , xn)). 

4.  Returnfno  solution  exists). 


3.95  Fact  Algorithm  3.94  takes  0(n2n /2)  steps  and,  hence,  is  inefficient. 


3.10.1  The  L3-lattice  basis  reduction  algorithm 

The  L 3 -lattice  basis  reduction  algorithm  is  a crucial  component  in  many  number-theoretic 
algorithms.  It  is  useful  for  solving  certain  subset  sum  problems,  and  has  been  used  for  crypt- 
analyzing public-key  encryption  schemes  which  are  based  on  the  subset  sum  problem. 

3.96  Definition  Letx  = (xi,X2, . . . , x„)  and  y='-{yi,  V2p  be  two  vectors  in  R".  The 
inner  product  of  x and  y is  the  real  number 

< x,  y > = xiyi  + x2y2  H P x„y„. 

3.97  Definition  Let  y =*'{yi,  j/2,  ■ ■ ■ , yn)  be  a vector  in  R1*,  The  length  ofy  is  the  real  number 

IMI  = '<y,y>  = \Jy\  + yl h 

3.98  Definition  Let  B = {&1 , £>2 ? • . ■ , bm}  be  a set  of  linearly  independent  vectors  in  M"  (so 
that  to  < n).  The  set  L of  all  integer  linear  combinations  of  bi , b2 , . . . , bm  is  called  a lattice 
of  dimension  to;  that  is,  L = Z&i  + Z62  + • • • + Z bm.  The  set  B is  called  a basis  for  the 
lattice  L. 

A lattice  can  have  many  different  bases.  A basis  consisting  of  vectors  of  relatively 
small  lengths  is  called  reduced.  The  following  definition  provides  a useful  notion  of  a re- 
duced basis,  and  is  based  on  the  Gram-Schmidt  orthogonalization  process. 

3.99  Definition  Let  B = {61, 62,  ■ • • , bn}  be  a basis  for  a lattice  L C R".  Define  the  vectors 
b*  (!<<••  n)  and  the  real  numbers  /jy  (1  < j < i < n)  inductively  by 


— 7—Tl — i 

<b*,b*  > 

(3.8) 

i- 1 

bi  ^ ^ Vijbj  , 1 ^ i ^ 72. 

(3.9) 

3 = 1 

The  basis  B is  said  to  be  reduced  (more  precisely,  Lovasz-reduced)  if 

\lM,j\  < for  1 < j < i < n 
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(where  | pij  | denotes  the  absolute  value  of  Pi.j),  and 

II KW2  > (j  ll^i-ill2,  for  1 < i < n.  (3.10) 

Fact  3.100  explains  the  sense  in  which  the  vectors  in  a reduced  basis  are  relatively  short. 

3.100  Fact  Let  L C R?l  be  a lattice  with  a reduced  basis  {bi,  b-2,  ■ ■ ■ , bn}. 

(i)  For  every  non-zero  x E L,  |[61||  < 2(™-1)/2||x||. 

(ii)  More  generally,  for  any  set  {a1;  a?, ...  , «/  } of  linearly  independent  vectors  in  L, 

Ill'll  < 2<-™~1)/2  max(||oi||,  1 1 a2 1 1 , • • • ,fMI),  fori  < j < t. 

The  L:i -lattice  basis  reduction  algorithm  (Algorithm  3.101)  is  a polynomial-time  algo- 
rithm (Fact  3.103)  for  finding  a reduced  basis,  given  a basis  for  a lattice. 


3.101  Algorithm  L3-lattice  basis  reduction  algorithm 

INPUT:  a basis  (i>i , 62 , - - - , bn)  for  a lattice  L in  Rm,  m > n. 

OUTPUT:  a reduced  basis  for  L. 

1.  B !•<-  < bl,b*±  >. 

2.  For  i from  2 to  n do  the  following: 

2.1  b*<—bi. 

2.2  For  j from  1 to  i — 1,  set  Pij<—  < bi,b*  >/Bj  and  b* <—  b*  — Pijb*. 

2.3  Bi<~  <b*,b*  >. 

3.  k<- 2. 

4.  Execute  subroutine  RFD( k,k  — 1)  to  possibly  update  some  fi,:] . 

5.  If  Bk  < ( | - pl  k_1)Bk- 1 then  do  the  following: 

5.1  Set  pk,k-i,  B<r-Bk  + p2Bk-i,  pBk-i/B,  Bk^Bk-iBk/B, 

and  Bk-i<~B. 

5.2  Exchange  bk  and  bk- 1- 

5.3  If  k > 2 then  exchange  pkj  and  Pk-14  for  j = 1,  2, . . . , k — 2. 

5.4  For  i = k + l,k  + 2, ...  , n: 

Set  ti  Pi^kf  pr,kt  Pi,k—  1 pi,  and  pt^k—  O t T Pk,k-ipi,k- 

5.5  k<—  max(2,  fc  — 1). 

5.6  Go  to  step  4. 

Otherwise,  for  2 = k — 2,  k — 3, . . . ,1,  execute  RED(fc,/),  and  finally  set  fc-t— fc  + 1. 

6.  If  k < n then  go  to  step  4.  Otherwise,  return(6i , 62 , • • • , bn). 

RLD(  k.l ) If  \pk.i 1 > 1 then  do  the  following: 

1.  r<—  [0.5  + pk,i\- bk^ bk  — rbi. 

2.  For  j from  1 to  l — 1,  set  pkj<—pk,j  ~ rPi,j- 

3.  pk,i-^Pk,i  ~ r. 


3.102  Note  ( explanation  of  selected  steps  of  Algorithm  3.101) 

(i)  Steps  1 and  2 initialize  the  algorithm  by  computing  b*  ( 1 < i < n)  and  p ,j  (1  < j < 
i <n)  as  defined  in  equations  (3.9)  and  (3.8),  and  also  B,  =<K,b*>  (1  < i < n). 

(ii)  A;  is  a variable  such  that  the  vectors  bi,b-2,  ■ ■ ■ , bk- 1 are  reduced  (initially  k = 2 in 
step  3).  The  algorithm  then  attempts  to  modify  bk,  so  that  bi,  62,  • • ■ , bk  are  reduced. 
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(iii)  In  step  4,  the  vector  bk  is  modified  appropriately  so  that  \i«ik,k-i  | < and  the  Hk,j 
are  updated  for  1 < j < k - 1. 

(iv)  In  step  5,  if  the  condition  of  equation  (3.10)  is  violated  for  i = k,  then  vectors  6;, 
and  bf,.  i are  exchanged  and  their  corresponding  parameters  are  updated.  Also,  k is 
decremented  by  1 since  then  it  is  only  guaranteed  that  6j,  &2,  ■ ■ ■ • bk  2 are  reduced. 
Otherwise,  bk  is  modified  appropriately  so  that  \^k,j\  < 1 for  j = 1,2, .. . , k - 2, 
while  keeping  (3.10)  satisfied,  k is  then  incremented  because  now  61;  &2,  ■ • • , bk  are 
reduced. 

It  can  be  proven  that  the  L3-algorithm  terminates  after  a finite  number  of  iterations. 
Note  that  if  L is  an  integer  lattice,  i.e.  L C Z",  then  the  L3-algorithm  only  operates  on 
rational  numbers.  The  precise  running  time  is  given  next. 

3.103  Fact  Let  L C Z"  be  a lattice  with  basis  {61, 62,  • ■ • , bn},  and  let  C G R,  C > 2,  be  such 
that  ||6j||2  < C for  i = 1,2,...  ,n.  Then  the  number  of  arithmetic  operations  needed  by 
Algorithm  3.101  is  0(n 4 log  C),  on  integers  of  size  0(n  log  C ) bits. 


3.10.2  Solving  subset  sum  problems  of  low  density 

The  density  of  a knapsack  set,  as  defined  below,  provides  a measure  of  the  size  of  the  knap- 
sack elements. 

3.104  Definition  Let  S = {01,  <12, . . . , an}  be  a knapsack  set.  The  density  of  S is  defined  to  be 


maxjlgOj  | 1 < i < n} 

Algorithm  3.105  reduces  the  subset  sum  problem  to  one  of  finding  a particular  short 
vector  in  a lattice.  By  Fact  3. 100,  the  reduced  basis  produced  by  the  L3-algorithm  includes 
a vector  of  length  which  is  guaranteed  to  be  within  a factor  of  2("  1,'/i  0f  the  shortest  non- 
zero vector  of  the  lattice.  In  practice,  however,  the  L3-algorithm  usually  finds  a vector 
which  is  much  shorter  than  what  is  guaranteed  by  Fact  3.100.  Hence,  the  L3-algorithm 
can  be  expected  to  find  the  short  vector  which  yields  a solution  to  the  subset  sum  problem, 
provided  that  this  vector  is  shorter  than  most  of  the  non-zero  vectors  in  the  lattice. 


3.105  Algorithm  Solving  subset  sum  problems  using  L3-algorithm 

INPUT:  a set  of  positive  integers  {a1;  a2, . . . , a.n}  and  an  integer  s. 

OUTPUT:  Xj  £ {0, 1},  1 < i < n,  such  that  = s>  provided  such  x,;  exist. 

1 . Let  m = |"  i /n] . 

2.  Form  an  (n  + 1) -dimensional  lattice  L with  basis  consisting  of  the  rows  of  the  matrix 


( 1 

0 

0 

...  0 

ma\ 

\ 

0 

1 

0 

...  0 

ma  2 

0 

0 

1 

...  0 

mas 

0 

0 

0 

...  1 

man 

V l 

1 

0 

1 

0 

1 

0 

ms 

/ 

3.  Find  a reduced  basis  B of  L (use  Algorithm  3.101). 

4.  For  each  vector  y = ■ ■ ■ , yn+ 1)  in  B,  do  the  following: 
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4.1  If  yn+ 1 = 0 and  y-i  E { — 5,  |}  for  all*  = 1, 2, . . . . n,  then  do  the  following: 
For  i = 1,2,...  5 n,  set  Xj«—  yi  + 

If  Elli  aixi  = ■?.  then  return(a  solution  is  (xi , X2, . . . , xn)). 

For  i = 1,2,...  j n,  set  Xj-t Vi  + 

If  E,'li  aixi  = then  return(a  solution  is  (xi , X2, . . . , xn)). 

5.  Return! FAILURE).  (Either  no  solution  exists,  or  the  algorithm  has  failed  to  find  one.) 


Justification.  Let  the  rows  of  the  matrix  A be  b\, 62 , • ■ ■ , bn+±,  and  let  L be  the  (n  + 1)- 
dimensional  lattice  generated  by  these  vectors.  If  (xi , X2 , . . . , x„J  is  a solution  to  the  subset 
sum  problem,  the  vector  y = El=i  — 6n+i  is  in  L.  Note  that  j/,-  e { — \ } for 

i = 1,  2, .. . , n and  yn+1  = 0.  Since  \\y\\  = ^Jy\  + y\5 h y^+i  the  vector  y is  a 

vector  of  short  length  in  L.  If  the  density  of  the  knapsack  set  is  small,  i.e.  the  a,-  are  large, 
then  most  vectors  in  L will  have  relatively  large  lengths,  and  hence  y may  be  the  unique 
shortest  non-zero  vector  in  L.  If  this  is  indeed  the  case,  then  there  is  good  possibility  of  the 
/.—algorithm  finding  a basis  which  includes  this  vector. 

Algorithm  3. 105  is  not  guaranteed  to  succeed.  Assuming  that  the  /^-algorithm  always 
produces  a basis  which  includes  the  shortest  non-zero  lattice  vector.  Algorithm  3.105  suc- 
ceeds with  high  probability  if  the  density  of  the  knapsack  set  is  less  than  0.9408. 


3.10.3  Simultaneous  diophantine  approximation 

Simultaneous  diophantine  approximation  is  concerned  with  approximating  a vector  ( ^ , 
. . . , ^2.)  of  rational  numbers  (more  generally,  a vector  (ai,  0:2, . . . , a„)  of  real  numbers) 
by  a vector  (£j-,  £2 ; . . . , ) of  rational  numbers  with  a smaller  denominator  p.  Algorithms 

for  finding  simultaneous  diophantine  approximation  have  been  used  to  break  some  knap- 
sack public-key  encryption  schemes  (§8.6). 

3.106  Definition  Let  S be  a real  number.  The  vector  (^-,  £2, .. . , of  rational  numbers  is  said 

to  be  a simultaneous  diophantine  approximation  of  5-quality  to  the  vector  ^ , ■ ■ ■ ’ 

of  rational  numbers  if  p < q and 

Qi 

P Pi 

q 

(The  larger  5 is,  the  better  is  the  approximation.)  Furthermore,  it  is  an  unusually  good  si- 
multaneous diophantine  approximation  (UGSDA)  if  5 > E 

Fact  3.107  shows  that  an  UGSDA  is  indeed  unusual. 

3.107  Fact  For  n > 2,  the  set 

Sn(q)  = I 0 < ® < 9’  gcd(gi,g2,.  ■>  ,qn,q)  = lj 

has  at  least  \qn  members.  Of  these,  at  most  0(q"(-1_(5^+1)  members  have  at  least  one  5- 
quality  simultaneous  diophantine  approximation.  Hence,  for  any  fixed  5 > — , the  fraction 
of  members  of  Sn(q)  having  at  least  one  UGSDA  approaches  0 as  q — > 00. 

Algorithm  3.108  reduces  the  problem  of  finding  a Equality  simultaneous  diophantine 
approximation,  and  hence  also  a UGSDA,  to  the  problem  of  finding  a short  vector  in  a lat- 
tice. The  latter  problem  can  (usually)  be  solved  using  the  L3-lattice  basis  reduction. 
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3.108  Algorithm  Finding  a 5-quality  simultaneous  diophantine  approximation 

INPUT:  a vector  w = ^ , . . . ,^)of  rational  numbers,  and  a rational  number  5 > 0. 

OUTPUT:  a 5-quality  simultaneous  diophantine  approximation  . . . . 2a.)  of  w. 

1.  Choose  an  integer  A ss  qs. 

2.  Use  Algorithm  3.101  to  find  a reduced  basis  B for  the  (n  + 1) -dimensional  lattice  L 
which  is  generated  by  the  rows  of  the  matrix 


/ A q 

0 

0 

0 

0 \ 

0 

A q 

0 

0 

0 

0 

0 

A q 

0 

0 

0 

0 

0 

A q 

0 

\ -Mi 

-A  q2 

-\q3  . . . 

'V/n 

1 / 

3.  For  each  v = (vi,V2,  ■ ■ ■ ,vn,  vn+i)  in  B such  that  vn+i  ^ q , do  the  following: 

3.1  p^Vn+l- 

3.2  For  i from  1 to  n,  set  Pi*~jj  + pq% ) • 

3.3  If  \py  — pi\  < q~s  for  each  i.  1 < i < n,  then  return(^-,  y-,  ■ ■ • , ^p). 

4.  Return! FAILURE).  (Either  no  5-quality  simultaneous  diophantine  approximation  ex- 
ists, or  the  algorithm  has  failed  to  find  one.) 


Justification.  Let  the  rows  of  the  matrix  A be  denoted  by  &i,  62,  ■ ■ ■ , bn+ 1.  Suppose  that 
(3q'3qt".  ■ 3f)  has  a ^-quality  approximation  (y , y, , , ..  , Then  the  vector 

X = p±bi  + P2^>2  + • ' ' + Pn bn  + pbn+l 

= (A(pig-pgi),A(p2g-pg2),---  ,A {pnq~pqn),p) 

is  in  L and  has  length  less  than  approximately  ( 'n  + 1 )q.  Thus  x is  short  compared  to  the 
original  basis  vectors,  which  are  of  length  roughly  q1+<5.  Also,  if  v = (v±,  V2, . . . , vn+i ) is 
a vector  in  L of  length  less  than  q,  then  the  vector  .fij- ... . . defined  in  step  3 is  a 5- 
quality  approximation.  Hence  there  is  a good  possibility  that  the  L3 -algorithm  will  produce 
a reduced  basis  which  includes  a vector  v that  corresponds  to  a 5-quality  approximation. 


3.1 1 Factoring  polynomials  over  finite  fields 

The  problem  considered  in  this  section  is  the  following:  given  a polynomial  f(x)  € F,; [x] , 
with  q = pm,  find  its  factorization  f(x ) = fi  ( x)ei  J2  (x)®2  ■■■  ft  (x)®* , where  each  /*  (x)  is 
an  irreducible  polynomial  in  F?[x]  and  each  e,  > 1.  (e,  is  called  the  multiplicity  of  the  fac- 
tor fi(x).)  Several  situations  call  for  the  factoring  of  polynomials  over  finite  fields,  such  as 
index-calculus  algorithms  in  F.)„,  (Example  3.70)  and  Chor-Rivest  public-key  encryption 
(§8.6.2).  This  section  presents  an  algorithm  for  square-free  factorization,  and  Berlekamp’s 
classical  deterministic  algorithm  for  factoring  polynomials  which  is  efficient  if  the  under- 
lying field  is  small.  Efficient  randomized  algorithms  are  known  for  the  case  of  large  q\  ref- 
erences are  provided  on  page  132. 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§3. 1 1 Factoring  polynomials  over  finite  fields 


123 


3.1 1 .1  Square-free  factorization 

Observe  first  that  /(x)  may  be  divided  by  its  leading  coefficient.  Thus,  it  may  be  assumed 
that  /(x)  is  monic  (see  Definition  2. 187).  This  section  shows  how  the  problem  of  factoring 
a monic  polynomial  f(x)  may  then  be  reduced  to  the  problem  of  factoring  one  or  more 
monic  square-free  polynomials. 

3.109  Definition  Let  f(x)  £ Fg[ij.  Then  /(x)  is  square-free  if  it  has  no  repeated  factors,  i.e., 
there  is  no  polynomial  g(x)  with  deg  g(x)  > 1 such  that  g(x)2  divides  f(x).  The  square- 
free  factorization  of  f(x)  is  f(x)  = ni=i  where  each  fi{x)  is  a square-free  poly- 

nomial and  gcd(/,;(x),  fj(x ))  = 1 for  i j.  (Some  of  the  fi(x)  in  the  square-free  factor- 
ization of  /(x)  maybe  1.) 

Let  /(x)  = CLiX1  be  a polynomial  of  degree  n > 1.  The  (formal)  derivative  of 

/(x)  is  the  polynomial  /'(x)  = Y^i=o  a>+ i(*  + 1)F-  If  f'(x | = 0,  then,  because  p is  the 
characteristic  of  Fg,  in  each  term  atxl  of  /(x)  for  which  a*  0,  the  exponent  of  x must 
be  a multiple  of  p.  Hence,  /(x)  has  the  form  f{x)  = a(x)p,  where  a(x)  = aipPx *> 

and  the  problem  of  finding  the  square-free  factorization  of  fix)  is  reduced  to  finding  that 
of  a(x).  Now,  it  is  possible  that  a'(x)  = 0,  but  repeating  this  process  as  necessary,  it  may 
be  assumed  that  f (x)  7 0. 

Next,  let  g(x ) = gcd(/(x),  f{x)).  Noting  that  an  irreducible  factor  of  multiplicity  k 
in/(  x)  will  have  multiplicity  k — 1 in  /'(x)  if  gcd (k,p)  = 1,  and  will  retain  multiplicity 
k in  /'  (x)  otherwise,  the  following  conclusions  may  be  drawn.  If  g(x)  = 1,  then  f(x) 
has  no  repeated  factors;  and  if  g(x)  has  positive  degree,  then  g(x)  is  a non-trivial  factor 
of  /(x),  and  f(x)/g(x)  has  no  repeated  factors.  Note,  however,  the  possibility  of  g(x) 
having  repeated  factors,  and,  indeed,  the  possibility  that  g'(x)  = 0.  Nonetheless,  g(x)  can 
be  refined  further  as  above.  The  steps  are  summarized  in  Algorithm  3. 1 10.  In  the  algorithm, 
F denotes  the  square-free  factorization  of  a factor  of  f(x)  in  factored  form. 


3.110  Algorithm  Square-free  factorization 
SQUARE-FREE(/(x)) 

INPUT:  a monic  polynomial  /(x)  € Fg[x]  of  degree  > 1,  where  ¥q  has  characteristic  p. 
OUTPUT:  the  square-free  factorization  of  /(x). 

1.  Set  it— 1,  .Ft—  1,  and  compute  f(x). 

2.  If  f{x)  = 0 then  set  f(x)^f{x)l/p  and  F^(SQUARE-FREE(/(x)))F 
Otherwise  (i.e.  f(x)  f 0)  do  the  following: 

2.1  Compute  g(x)t—  gcd(/(x),  f{x))  and  h(x)<-f(x)/g(x). 

2.2  While  h{x)  7 1 do  the  following: 

Compute  /i(x)t—  gcd(/i(x),  g(x))  and  Z(x)t—  h(x)/h(x). 

Set  Ft— F ■ Z(x )*,  it— i + 1,  /i(x)t—  h(x),  and  g(x)-^g(x)/h(x). 

2.3  If  g{x)  7 1 then  set  5(x)^5(x)1/p  and  Ft— F • (SQUARE-FREE(5(x)))F 

3.  Return! F). 

Once  the  square-free  factorization  /(x)  = nf  i fi  [XT  is  found,  the  square-free  poly- 
nomials /i(x),  fc(x),. ...  , fk{x)  need  to  be  factored  in  order  to  obtain  the  complete  fac- 
torization of  /(x). 
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3.11.2  Berlekamp’s  Q-matrix  algorithm 

Let  /(x)  = nil  fi  (x)  be  a monic  polynomial  in  F9  [x]  of  degree  n having  distinct  irre- 
ducible factors  fi(x),  1 < i < t.  Berlekamp’s  Q-matrix  algorithm  (Algorithm  3.111)  for 
factoring  f(x)  is  based  on  the  following  facts.  The  set  of  polynomials 

B = { b(x ) £ F 9[x]/(/(x))  | b(x)q  = b(x)  (mod  /(x))} 

is  a vector  space  of  dimension  t over  ¥q.  B consists  of  precisely  those  vectors  in  the  null 
space  of  the  matrix  Q — In , where  Q is  the  n x n matrix  with  (i,  j)-entry  q,j  specified  by 

n— 1 

xlq  mod  /(x)  = ^2  Qi.jxi , 0 < i < n 1 . 

J=o 

and  where  In  is  the  n x n identity  matrix.  A basis  B = {ui(x),  V2(x), . . . , ry(x)}  for 
B can  thus  be  found  by  standard  techniques  from  linear  algebra.  Finally,  for  each  pair  of 
distinct  factors  /,,(x)  and  fj{x)  of  /(x)  there  exists  some  Vk(x)  € B and  some  a g F9 
such  that  fi  (x)  divides  Vk  (x)  — a but  fj  (x)  does  not  divide  Vk  (x)  — a;  these  two  factors 
can  thus  be  split  by  computing  gcd(/(x),  Vk(x)  — a).  In  Algorithm  3.111,  a vector  w = 
(w o,  wi, . . . , wn- 1)  is  identified  with  the  polynomial  w{x)  = Y^i=o  wi%1  ■ 


3.1 1 1 Algorithm  Berlekamp’s  Q-matrix  algorithm  for  factoring  polynomials  over  finite  fields 

INPUT:  a square-free  monic  polynomial  /(x)  of  degree  n in  F9[x]. 

OUTPUT:  the  factorization  of  /(x)  into  monic  irreducible  polynomials. 

1.  For  each  i,  0 < i < n — 1,  compute  the  polynomial 

n—  1 

x*9  mod  /(x)  = qjjxT 
3=0 

Note  that  each  q.jj  is  an  element  of  Fg. 

2.  Form  the  n x n matrix  Q whose  (i,  j)-entry  is  q,j . 

3.  Determine  a basis  v\,V2,  ■ ■ ■ ,vt  for  the  null  space  of  the  matrix  (Q  — In),  where  In 
is  the  nxn  identity  matrix.  The  number  of  irreducible  factors  of  /(x)  is  precisely  t. 

4.  Set  F<r- {/(x)}.  (F  is  the  set  of  factors  of  /(x)  found  so  far;  their  product  is  equal 
to  /(x).) 

5.  For  i from  I to  t do  the  following: 

5.1  For  each  polynomial  h(x)  € F such  that  deg  h{x)  > 1 do  the  following:  com- 
pute gcd(/i(x),  Ui(x)  — a ) for  each  a £ F9,  and  replace  h(x)  in  F by  all  those 
polynomials  in  the  gcd  computations  whose  degrees  are  > 1. 

6.  Return!  the  polynomials  in  F are  the  irreducible  factors  of 


3.112  Fact  The  running  time  of  Algorithm3.111  for  factoring  a square-free  polynomial  of  degree 
n over  F?  is  0(n 3 + tqn2)  Fg -operations,  where  t,  is  the  number  of  irreducible  factors  of 
/(x).  The  method  is  efficient  only  when  q is  small. 
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3.12  Notes  and  further  references 

§3.1 

Many  of  the  topics  discussed  in  this  chapter  lie  in  the  realm  of  algorithmic  number  the- 
ory. Excellent  references  on  this  subject  include  the  books  by  Bach  and  Shallit  [70],  Cohen 
[263],  and  Pomerance  [993],  Adleman  and  McCurley  [15]  give  an  extensive  survey  of  the 
important  open  problems  in  algorithmic  number  theory.  Two  other  recommended  surveys 
are  by  Bach  [65]  and  Lenstra  and  Lenstra  [748].  Woll  [1253]  gives  an  overview  of  the  re- 
ductions among  thirteen  of  these  problems. 

§3.2 

A survey  of  the  integer  factorization  problem  is  given  by  Pomerance  [994].  See  also  Chap- 
ters 8 and  10  of  Cohen  [263],  and  the  books  by  Bressoud  [198]  and  Koblitz  [697].  Brillhart 
et  al.  [211]  provide  extensive  listings  of  factorizations  of  integers  of  the  form  bn  ± 1 for 
“small"  n and  b = 2,  3,  5,  6,  7, 10, 11, 12. 

Bach  and  Sorenson  [71]  presented  some  algorithms  for  recognizing  perfect  powers 
(cf.  Note  3.6),  one  having  a worst-case  running  time  of  0(lg3  n)  bit  operations,  and  a sec- 
ond having  an  average-case  running  time  of  0(lg2  n)  bit  operations.  A more  recent  algo- 
rithm of  Bernstein  [121]  runs  in  essentially  linear  time  0((lg  n)1-1-0^).  Fact  3.7  is  from 
Knuth  [692],  Pages  367-369  of  this  reference  contain  explicit  formulas  regarding  the  ex- 
pected sizes  of  the  largest  and  second  largest  prime  factors,  and  the  expected  total  number 
of  prime  factors,  of  a randomly  chosen  positive  integer.  For  further  results,  see  Knuth  and 
Trabb  Pardo  [694],  who  prove  that  the  average  number  of  bits  in  the  fcth  largest  prime  fac- 
tor of  a random  m-bit  number  is  asymptotically  equivalent  to  the  average  length  of  the  fcth 
longest  cycle  in  a permutation  on  m objects. 

Floyd’s  cycle-finding  algorithm  (Note  3.8)  is  described  by  Knuth  [692,  p.7].  Sedgewick, 
Szymanski,  and  Yao  [1106]  showed  that  by  saving  a small  number  of  values  from  the  x, 
sequence,  a collision  can  be  found  by  doing  roughly  one-third  the  work  as  in  Floyd's  cycle- 
finding algorithm.  Pollard’s  rho  algorithm  for  factoring  (Algorithm  3.9)  is  due  to  Pollard 
[985].  Regarding  Note  3.12,  Cohen  [263,  p.422]  provides  an  explanation  for  the  restriction 
c ^ 0,  —2.  Brent  [196]  presented  a cycle-finding  algorithm  which  is  better  on  average 
than  Floyd's  cycle-finding  algorithm,  and  applied  it  to  yield  a factorization  algorithm  which 
is  similar  to  Pollard’s  but  about  24  percent  faster.  Brent  and  Pollard  [197]  later  modified 
this  algorithm  to  factor  the  eighth  Fermat  number  F$  = 22  +1.  Using  techniques  from 
algebraic  geometry,  Bach  [67]  obtained  the  first  rigorously  proven  result  concerning  the 
expected  running  time  of  Pollard’s  rho  algorithm:  for  fixed  k,  the  probability  that  a prime 
factor  p is  discovered  before  step  k is  at  least  Q)  /p  + 0(p~3/2)  as  p — > oo. 

The  p — 1 algorithm  (Algorithm  3.14)  is  due  to  Pollard  [984].  Several  practical  improve- 
ments have  been  proposed  for  the  p — 1 algorithm,  including  those  by  Montgomery  [894] 
and  Montgomery  and  Silverman  [895],  the  latter  using  fast  Fourier  transform  techniques. 
Williams  [1247]  presented  an  algorithm  for  factoring  n which  is  efficient  if  n has  a prime 
factor/;  such  that  /;  ■ 1 is  smooth.  These  methods  were  generalized  by  Bach  and  Shallit  [69] 
to  techniques  that  factor  n efficiently  provided  n has  a prime  factor  p such  that  the  kth  cy- 
clotomic  polynomial  T /,,(/;)  is  smooth.  The  first  few  cyclotomic  polynomials  are  <f>i(p)  = 
p-  1,  ^(p)  — P + 1,  $3  (p)  =P2+P+1,  $4  (p)  =p2  + l,  $5  (p)  =P4+P3+P2+P+1, 
and  <f>6(p)  = p2  — p + 1. 

The  elliptic  curve  factoring  algorithm  (ECA)  of  §3.2.4  was  invented  by  Lenstra  [756], 
Montgomery  [894]  gave  several  practical  improvements  to  the  ECA.  Silverman  and 
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Wagstaff  [1136]  gave  a practical  analysis  of  the  complexity  of  the  EC  A,  and  suggested  op- 
timal parameter  selection  and  running-time  guidelines.  Lenstra  and  Manasse  [753]  imple- 
mented the  ECA  on  a network  of  Micro  VAX  computers,  and  were  successful  in  finding  35- 
decimal  digit  prime  factors  of  large  (at  least  85  digit)  composite  integers.  Later,  Dixon  and 
Lenstra  [350]  implemented  the  ECA  on  a 16K  MasPar  (massively  parallel)  SIMD  (single 
instruction,  multiple  data)  machine.  The  largest  factor  they  found  was  a 40-decimal  digit 
prime  factor  of  an  89-digit  composite  integer.  On  November  26  1995,  Peter  Montgomery 
reported  finding  a 47-decimal  digit  prime  factor  of  the  99-digit  composite  integer  5256  + 1 
with  the  ECA. 

Hafner  and  McCurley  [536]  estimated  the  number  of  integers  n < x that  can  be  factored 
with  probability  at  least  | using  at  most  t arithmetic  operations,  by  trial  division  and  the 
elliptic  curve  algorithm.  Pomerance  and  Sorenson  [997]  provided  the  analogous  estimates 
for  Pollard’s  p—1  algorithm  and  Williams’  p + 1 algorithm.  They  conclude  that  for  a given 
running  time  bound,  both  Pollard’s  p—1  and  Williams’  p+ 1 algorithms  factor  more  integers 
than  trial  division,  but  fewer  than  the  elliptic  curve  algorithm. 

Pomerance  [994]  credits  the  idea  of  multiplying  congruences  to  produce  a solution  to  x2  = 
y2  (mod  n)  for  the  purpose  of  factoring  n (§3.2.5)  to  some  old  work  of  Kraitchik  circa 
1926-1929.  The  continued  fraction  factoring  algorithm,  first  introduced  by  Lehrner  and 
Powers  [744]  in  1931,  and  refined  more  than  40  years  later  by  Morrison  and  Brillhart  [908], 
was  the  first  realization  of  a random  square  method  to  result  in  a subexponential-time  al- 
gorithm. The  algorithm  was  later  analyzed  by  Pomerance  [989]  and  conjectured  to  have 
an  expected  running  time  of  Ln[^,  /2].  If  the  smoothness  testing  in  the  algorithm  is  done 
with  the  elliptic  curve  method,  then  the  expected  running  time  drops  to  Ln[^,l].  Morrison 
and  Brillhart  were  also  the  first  to  use  the  idea  of  a factor  base  to  test  for  good  (a* , b,  ) pairs. 
The  continued  fraction  algorithm  was  the  champion  of  factoring  algorithms  from  the  mid 
1970s  until  the  early  1980s,  when  it  was  surpassed  by  the  quadratic  sieve  algorithm. 

The  quadratic  sieve  (QS)  (§3.2.6)  was  discovered  by  Pomerance  [989,  990],  The  multiple 
polynomial  variant  of  the  quadratic  sieve  (Note  3.25)  is  due  to  P.  Montgomery,  and  is  de- 
scribed by  Pomerance  [990];  see  also  Silverman  [1135].  A detailed  practical  analysis  of 
the  QS  is  given  by  van  Oorschot  [1203],  Several  practical  improvements  to  the  original 
algorithms  have  subsequently  been  proposed  and  successfully  implemented.  The  first  seri- 
ous implementation  of  the  QS  was  by  Gerver  [448]  who  factored  a 47-decimal  digit  num- 
ber. In  1984,  Davis,  Holdridge,  and  Simmons  [311]  factored  a 71 -decimal  digit  number 
with  the  QS.  In  1988,  Lenstra  and  Manasse  [753]  used  the  QS  to  factor  a 106-decimal  digit 
number  by  distributing  the  computations  to  hundreds  of  computers  by  electronic  mail;  see 
also  Lenstra  and  Manasse  [754].  In  1993,  the  QS  was  used  by  Denny  et  al.  [333]  to  factor 
a 120-decimal  digit  number.  In  1994,  the  129-decimal  digit  (425  bit)  RSA-129  challenge 
number  (see  Gardner  [440]),  was  factored  by  Atkins  et  al.  [59]  by  enlisting  the  help  of  about 
1600  computers  around  the  world.  The  factorization  was  carried  out  in  8 months.  Table  3.3 
shows  the  estimated  time  taken,  in  mips  years,  for  the  above  factorizations.  A mips  year  is 
equivalent  to  the  computational  power  of  a computer  that  is  rated  at  1 mips  (million  instruc- 
tions per  second)  and  utilized  for  one  year,  or,  equivalently,  about  3 • 1013  instructions. 

The  number  field  sieve  was  first  proposed  by  Pollard  [987]  and  refined  by  others.  Lenstra  et 
al.  [752]  described  the  special  number  field  sieve  (SNLS)  for  factoring  integers  of  the  form 
re  — s for  small  positive  r and  |sj.  A readable  introduction  to  the  algorithm  is  provided  by 
Pomerance  [995].  A detailed  report  of  an  SNLS  implementation  is  given  by  Lenstra  et  al. 
[751].  This  implementation  was  used  to  factor  the  ninth  Lermat  number  Fg  — 2512  + 1, 
which  is  the  product  of  three  prime  factors  having  7,  49,  and  99  decimal  digits.  The  gen- 
eral number  field  sieve  (GNLS)  was  introduced  by  Buhler,  Lenstra,  and  Pomerance  [219]. 
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Table  3.3:  Running  time  estimates  for  numbers  factored  with  QS. 

Coppersmith  [269]  proposed  modifications  to  the  GNFS  which  improve  its  running  time 
to  Ln[ 2, 1.902],  however,  the  method  is  not  practical;  another  modification  (also  imprac- 
tical) allows  a precomputation  taking  Ln[^,  2.007]  time  and  Ln[|,  1.639]  storage,  follow- 
ing which  all  integers  in  a large  range  of  values  can  be  factored  in  1.639]  time.  A 

detailed  report  of  a GNFS  implementation  on  a massively  parallel  computer  with  16384 
processors  is  given  by  Bernstein  and  Lenstra  [122].  See  also  Buchmann,  Loho,  and  Za- 
yer  [217],  and  Golliver,  Lenstra,  and  McCurley  [493].  More  recently,  Dodson  and  Lenstra 
[356]  repotted  on  their  GNFS  implementation  which  was  successful  in  factoring  a 119- 
decimal  digit  number  using  about  250  mips  years  of  computing  power.  They  estimated  that 
this  factorization  completed  about  2.5  times  faster  than  it  would  with  the  quadratic  sieve. 
Most  recently,  Lenstra  [746]  announced  the  factorization  of  the  130-decimal  digit  RSA- 
130  challenge  number  using  the  GNFS.  This  number  is  the  product  of  two  65-decimal  digit 
primes.  The  factorization  was  estimated  to  have  taken  about  500  mips  years  of  computing 
power  (compare  with  Table  3.3).  The  book  edited  by  Lenstra  and  Lenstra  [749]  contains 
several  other  articles  related  to  the  number  field  sieve. 

The  ECA,  continued  fraction  algorithm,  quadratic  sieve,  special  number  field  sieve,  and 
general  number  field  sieve  have  heuristic  (or  conjectured ) rather  than  proven  running  times 
because  the  analyses  make  (reasonable)  assumptions  about  the  proportion  of  integers  gen- 
erated that  are  smooth.  See  Canfield,  Erdos,  and  Pomerance  [231]  for  bounds  on  the  pro- 
portion of  y-smooth  integers  in  the  interval  [2,  x\ . Dixon’s  algorithm  [351]  was  the  first 
rigorously  analyzed  subexponential-time  algorithm  for  factoring  integers.  The  fastest  rig- 
orously analyzed  algorithm  currently  known  is  due  to  Lenstra  and  Pomerance  [759]  with 
an  expected  running  time  of  1].  These  algorithms  are  of  theoretical  interest  only,  as 
they  do  not  appear  to  be  practical. 

§3.3 

The  RSA  problem  was  introduced  in  the  landmark  1977  paper  by  Rivest,  Shamir,  and  Adle- 
man  [1060]. 

§3.4 

The  quadratic  residuosity  problem  is  of  much  historical  interest,  and  was  one  of  the  main 
algorithmic  problems  discussed  by  Gauss  [444], 

§3.5 

An  extensive  treatment  of  the  problem  of  finding  square  roots  modulo  a prime  p,  or  more 
generally,  the  problem  of  finding  t/th  roots  in  a finite  field,  can  be  found  in  Bach  and  Shallit 
[70].  The  presentation  of  Algorithm  3.34  for  finding  square  roots  modulo  a prime  is  de- 
rived from  Koblitz  [697,  pp. 48-49];  a proof  of  correctness  can  be  found  there.  Bach  and 
Shallit  attribute  the  essential  ideas  of  Algorithm  3.34  to  an  1891  paper  by  A.  Tonelli.  Al- 
gorithm 3.39  is  from  Bach  and  Shallit  [70],  who  attribute  it  to  a 1903  paper  of  M.  Cipolla. 

The  computational  equivalence  of  computing  square  roots  modulo  a composite  n and  fac- 
toring n (Fact  3.46  and  Note  3.47)  was  first  discovered  by  Rabin  [1023]. 
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A survey  of  the  discrete  logarithm  problem  is  given  by  McCurley  [827].  See  also  Odlyzko 
[942]  for  a survey  of  recent  advances. 

Knuth  [693]  attributes  the  baby-step  giant-step  algorithm  (Algorithm  3.56)  to  D.  Shanks. 
The  baby-step  giant-step  algorithms  for  searching  restricted  exponent  spaces  (cf.  Note  3.59) 
are  described  by  Heiman  [546].  Suppose  that  p is  a fc-bit  prime,  and  that  only  exponents  of 
Hamming  weight  t,  are  used.  Coppersmith  (personal  communication,  July  1995)  observed 
that  this  exponent  space  can  be  searched  in  k ■ (f'/jj)  steps  by  dividing  the  exponent  into  two 
equal  pieces  so  that  the  Hamming  weight  of  each  piece  is  t /2;  if  k is  much  smaller  than  2,/2, 
this  is  an  improvement  over  Note  3.59. 

Pollard’srho  algorithm  for  logarithms  (Algorithm  3.60)  is  due  to  Pollard  [986].  Pollard  also 
presented  a lambda  method  for  computing  discrete  logarithms  which  is  applicable  when  x , 
the  logarithm  sought,  is  known  to  lie  in  a certain  interval.  More  specifically,  if  the  interval  is 
of  width  w , the  method  is  expected  to  take  O ( rw)  group  operations  and  requires  storage  for 
only  0(lg  w)  group  elements.  Van  Oorschot  and  Wiener  [1207]  showed  how  Pollard’s  rho 
algorithm  can  be  parallelized  so  that  using  m processors  results  in  a speedup  by  a factor  of 
m.  This  has  particular  significance  to  cyclic  groups  such  as  elliptic  curve  groups,  for  which 
no  subexponential-time  discrete  logarithm  algorithm  is  known. 

The  Pohlig-Hellman  algorithm  (Algorithm  3.63)  was  discovered  by  Pohlig  and  Heilman 
[982].  A variation  which  represents  the  logarithm  in  a mixed-radix  notation  and  does  not 
use  the  Chinese  remainder  theorem  was  given  by  Thiong  Ly  [1190], 

According  to  McCurley  [827],  the  basic  ideas  behind  the  index-calculus  algorithm  (Algo- 
rithm 3.68)  first  appeared  in  the  work  of  Kraitchik  (circa  1922-1924)  and  of  Cunningham 
(see  Western  and  Miller  [1236]),  and  was  rediscovered  by  several  authors.  Adleman  [8]  de- 
scribed the  method  for  the  group  Z*  and  analyzed  the  complexity  of  the  algorithm.  Heilman 
and  Reyneri  [555]  gave  the  first  description  of  an  index-calculus  algorithm  for  extension 
fields  Fj,™  with  p fixed. 

Coppersmith,  Odlyzko,  and  Schroeppel  [280]  presented  three  variants  of  the  index-calculus 
method  for  computing  logarithms  in  Z*:  the  linear  sieve , the  residue  list  sieve , and  the 
Gaussian  integer  method.  Each  has  a heuristic  expected  running  time  of  Lp[^,  1]  (cf. 
Note  3.71).  The  Gaussian  integer  method,  which  is  related  to  the  method  of  ElGamal  [369], 
was  implemented  in  1990  by  LaMacchia  and  Odlyzko  [736]  and  was  successful  in  comput- 
ing logarithms  in  Z*  with  p a 192-bit  prime.  The  paper  concludes  that  it  should  be  feasible 
to  compute  discrete  logarithms  modulo  primes  of  about  332  bits  (100  decimal  digits)  using 
the  Gaussian  integer  method.  Gordon  [510]  adapted  the  number  field  sieve  for  factoring  in- 
tegers to  the  problem  of  computing  logarithms  in  Z*;  his  algorithm  has  a heuristic  expected 
running  time  of  c],  where  c = 32/3  ~ 2.080.  Schirokauer  [1092]  subsequently  pre- 
sented a modification  of  Gordon’s  algorithm  that  has  a heuristic  expected  running  time  of 
Lp[^,c],  where  c = (64/9)1/3  ~ 1.923  (Note  3.72).  This  is  the  same  running  time  as 
conjectured  for  the  number  field  sieve  for  factoring  integers  (see  §3.2.7).  Recently,  Weber 
[1232]  implemented  the  algorithms  of  Gordon  and  Schirokauer  and  was  successful  in  com- 
puting logarithms  in  z;  , where  p is  a 40-decimal  digit  prime  such  that  _p  — 1 is  divisible  by  a 
38-decimal  digit  (127-bit)  prime.  More  recently,  Weber,  Denny,  and  Zayer  (personal  com- 
munication, April  1996)  announced  the  solution  of  a discrete  logarithm  problem  modulo  a 
75-decimal  digit  (248-bit)  prime  p with  (p  l)/2  prime. 

Blake  et  al.  [145]  made  improvements  to  the  index-calculus  technique  for  F©  and  com- 
puted logarithms  in  F2127.  Coppersmith  [266]  dramatically  improved  the  algorithm  and 
showed  that  under  reasonable  assumptions  the  expected  running  time  of  his  improved  al- 
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gorithm  is  £2™  [jj,  c]  for  some  constant  c < 1.587  (Note  3.72).  Later,  Odlyzko  [940]  gave 
several  refinements  to  Coppersmith's  algorithm,  and  a detailed  practical  analysis;  this  pa- 
per provides  the  most  extensive  account  to  date  of  the  discrete  logarithm  problem  in  F.%,  . 
A similar  practical  analysis  was  also  given  by  van  Oorschot  [1203].  Most  recently  in  1992, 
Gordon  and  McCurley  [511]  reported  on  their  massively  parallel  implementation  of  Cop- 
persmith's algorithm,  combined  with  their  own  improvements.  Using  primarily  a 1024  pro- 
cessor nCUBE-2  machine  with  4 megabytes  of  memory  per  processor,  they  completed  the 
precomputation  of  logarithms  of  factor  base  elements  (which  is  the  dominant  step  of  the 
algorithm)  required  to  compute  logarithms  in  F.^v,  13,  and  Fj4u : . The  calculations  for 

Fgioi  were  estimated  to  take  5 days.  Gordon  and  McCurley  also  completed  most  of  the  pre- 
computations  required  for  computing  logarithms  in  F2503 ; the  amount  of  time  to  complete 
this  task  on  the  1024  processor  nCUBE-2  was  estimated  to  be  44  days.  They  concluded  that 
computing  logarithms  in  the  multiplicative  groups  of  fields  as  large  as  F2593  still  seems  to 
be  out  of  their  reach,  but  might  be  possible  in  the  near  future  with  a concerted  effort. 

It  was  not  until  1992  that  a subexponential-time  algorithm  for  computing  discrete  loga- 
rithms over  all  finite  fields  ¥q  was  discovered  by  Adleman  and  DeMarrais  [11].  The  ex- 
pected running  time  of  the  algorithm  is  conjectured  to  b eL?[|,  c]  for  some  constant  c.  Adle- 
man [9]  generalized  the  number  field  sieve  from  algebraic  number  fields  to  algebraic  func- 
tion fields  which  resulted  in  an  algorithm,  called  th  e function  field  sieve , for  computing  dis- 
crete logarithms  in  F*m ; the  algorithm  has  a heuristic  expected  running  time  of  Lpm  [4.  c] 
for  some  constant  c > 0 when  log  p < m9^m\  and  where  g is  any  function  such  that 
0 < g(m)  < 0.98  and  limm_).00  g(m)  = 0.  The  practicality  of  the  function  field  sieve  has 
not  yet  been  determined.  It  remains  an  open  problem  to  find  an  algorithm  with  a heuristic 
expected  running  time  of  Lq  [4,  c]  for  all  finite  fields  ¥q. 

The  algorithms  mentioned  in  the  previous  three  paragraphs  have  heuristic  (or  conjectured ) 
rather  than  proven  running  times  because  the  analyses  make  some  (reasonable)  assump- 
tions about  the  proportion  of  integers  or  polynomials  generated  that  are  smooth,  and  also 
because  it  is  not  clear  when  the  system  of  linear  equations  generated  has  full  rank,  i.e.,  yields 
a unique  solution.  The  best  rigorously  analyzed  algorithms  known  for  the  discrete  loga- 
rithm problem  in  Z*  and  F),„  are  due  to  Pomerance  [991]  with  expected  running  times  of 
Lp[ 4,  /2]  and  7^2™  [5,  respectively.  Lovorn  [773]  obtained  rigorously  analyzed  algo- 
rithms for  the  fields  Fp2  and  Fpm  with  logp  < m0  98,  having  expected  running  times  of 
Lp2  [4,  |]  and  Lpm  [4,  '2],  respectively. 

The  linear  system  of  equations  collected  in  the  quadratic  sieve  and  number  field  sieve  fac- 
toring algorithms,  and  the  index-calculus  algorithms  for  computing  discrete  logarithms  in 
Z*  and  F.j„, , are  very  large.  For  the  problem  sizes  currently  under  consideration,  these  sys- 
tems cannot  be  solved  using  ordinary  linear  algebra  techniques,  due  to  both  time  and  space 
constraints.  However,  the  equations  generated  are  extremely  sparse,  typically  with  at  most 
50  non-zero  coefficients  per  equation.  The  technique  of  structured  or  so-called  intelligent 
Gaussian  elimination  (see  Odlyzko  [940])  can  be  used  to  reduce  the  original  sparse  system 
to  a much  smaller  system  that  is  still  fairly  sparse.  The  resulting  system  can  be  solved  us- 
ing either  ordinary  Gaussian  elimination,  or  one  of  the  conjugate  gradient,  Lanczos  (Cop- 
persmith, Odlyzko,  and  Schroeppel  [280]),  or  Wiedemann  algorithms  [1239]  which  were 
also  designed  to  handle  sparse  systems.  LaMacchia  and  Odlyzko  [737]  have  implemented 
some  of  these  algorithms  and  concluded  that  the  linear  algebra  stages  arising  in  both  integer 
factorization  and  the  discrete  logarithm  problem  are  not  running-time  bottlenecks  in  prac- 
tice. Recently,  Coppersmith  [272]  proposed  a modification  of  the  Wiedemann  algorithm 
which  allows  parallelization  of  the  algorithm;  for  an  analysis  of  Coppersmith's  algorithm, 
see  Kaltofen  [657].  Coppersmith  [270]  (see  also  Montgomery  [896])  presented  a modifi- 
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cation  of  the  Lanczos  algorithm  for  solving  sparse  linear  equations  over  F2;  this  variant 
appears  to  be  the  most  efficient  in  practice. 

As  an  example  of  the  numbers  involved,  Gordon  and  McCurley’s  [511]  implementation  for 
computing  logarithms  in  F^Uoi  produced  a total  of  1 17164  equations  from  a factor  base  con- 
sisting of  the  58636  irreducible  polynomials  in  Fa  [x]  of  degree  at  most  19.  The  system  of 
equations  had  2068707  non-zero  entries.  Structured  Gaussian  elimination  was  then  applied 
to  this  system,  the  result  being  a 16139  x 16139  system  of  equations  having  1203414  non- 
zero entries,  which  was  then  solved  using  the  conjugate  gradient  method.  Another  example 
is  from  the  recent  factorization  of  the  RSA-129  number  (see  Atkins  et  al.  [59]).  The  sieving 
step  produced  a sparse  matrix  of  569466  rows  and  524339  columns.  Structured  Gaussian 
elimination  was  used  to  reduce  this  to  a dense  188614  x 188160  system,  which  was  then 
solved  using  ordinary  Gaussian  elimination. 

There  are  many  ways  of  representing  a finite  field,  although  any  two  finite  fields  of  the  same 
order  are  isomorphic  (see  also  Note  3.55).  Lenstra  [757]  showed  how  to  compute  an  iso- 
morphism between  any  two  explicitly  given  representations  of  a finite  field  in  deterministic 
polynomial  time.  Thus,  it  is  sufficient  to  find  an  algorithm  for  computing  discrete  loga- 
rithms in  one  representation  of  a given  field;  this  algorithm  can  then  be  used,  together  with 
the  isomorphism  obtained  by  Lenstra’s  algorithm,  to  compute  logarithms  in  any  other  rep- 
resentation of  the  same  field. 

Menezes,  Okamoto,  and  Vanstone  [843]  showed  how  the  discrete  logarithm  problem  for  an 
elliptic  curve  over  a finite  field  Fg  can  be  reduced  to  the  discrete  logarithm  problem  in  some 
extension  field  F qk.  For  the  special  class  of  supersingular  curves,  k is  at  most  6,  thus  pro- 
viding a subexponential-time  algorithm  for  the  former  problem.  This  work  was  extended 
by  Frey  and  Riick  [422].  No  subexponential-time  algorithm  is  known  for  the  discrete  log- 
arithm problem  in  the  more  general  class  of  non-supersingular  elliptic  curves. 

Adleman,  DeMarrais,  and  Fluang  [12]  presented  a subexponential-time  algorithm  for  find- 
ing logarithms  in  the  jacobian  of  large  genus  hyperelliptic  curves  over  finite  fields.  More 
precisely,  there  exists  a number  c,  0 < c < 2.181,  such  that  for  all  sufficiently  large  g > 1 
and  all  odd  primes  p with  logp  < (2 g + l)0  98,  the  expected  running  time  of  the  algo- 
rithm for  computing  logarithms  in  the  jacobian  of  a genus  g hyperelliptic  curve  over  Zp  is 
conjectured  to  be  Lp 2„+i  [4,  c], 

McCurley  [826]  invented  a subexponential-time  algorithm  for  the  discrete  logarithm  prob- 
lem in  the  class  group  of  an  imaginary  quadratic  number  field.  See  also  Flafner  and  Mc- 
Curley [537]  for  further  details,  and  Buchmann  and  Dullmann  [216]  for  an  implementation 
report. 

In  1994,  Shor  [1128]  conceived  randomized  polynomial-time  algorithms  for  computing  dis- 
crete logarithms  and  factoring  integers  on  a quantum  computer,  a computational  device 
based  on  quantum  mechanical  principles;  presently  it  is  not  known  how  to  build  a quantum 
computer,  nor  if  this  is  even  possible.  Also  recently,  Adleman  [10]  demonstrated  the  feasi- 
bility of  using  tools  from  molecular  biology  to  solve  an  instance  of  the  directed  Hamiltonian 
path  problem,  which  is  NP-complete.  The  problem  instance  was  encoded  in  molecules  of 
DNA,  and  the  steps  of  the  computation  were  performed  with  standard  protocols  and  en- 
zymes. Adleman  notes  that  while  the  currently  available  fastest  supercomputers  can  exe- 
cute approximately  1012  operations  per  second,  it  is  plausible  for  a DNA  computer  to  ex- 
ecute 102°  or  more  operations  per  second.  Moreover  such  a DNA  computer  would  be  far 
more  energy-efficient  than  existing  supercomputers.  It  is  not  clear  at  present  whether  it  is 
feasible  to  build  a DNA  computer  with  such  performance.  However,  should  either  quantum 
computers  or  DNA  computers  ever  become  practical,  they  would  have  a very  significant 
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impact  on  public-key  cryptography. 

§3.7 

Fact  3.77(i)  is  due  to  den  Boer  [323].  Fact  3.77(iii)  was  proven  by  Maurer  [817],  who  also 
proved  more  generally  that  the  GDHP  and  GDLP  in  a group  G of  order  n are  computation- 
ally equivalent  when  certain  extra  information  of  length  0(lg  n)  bits  is  given.  The  extra 
information  depends  only  on  n and  not  on  the  definition  of  G,  and  consists  of  parameters 
that  define  cyclic  elliptic  curves  of  smooth  order  over  the  fields  ZPi  where  the  pi  are  the 
prime  divisors  of  n. 

Waldvogel  and  Massey  [1228]  proved  that  if  a and  b are  chosen  uniformly  and  randomly 
from  the  interval  {0,1,...  , p — 1 },  the  values  aab  mod  p are  roughly  uniformly  distributed 
(see  page  537). 

§3.8 

Facts  3.78  and  3.79  are  due  to  Bach  [62].  Fact  3.80  is  due  to  Shmuely  [1127].  McCurley 
[825]  refined  this  result  to  prove  that  for  specially  chosen  composite  n , the  ability  to  solve 
the  Diffie-Flellman  problem  in  Z*  for  the  fixed  base  a = 16  implies  the  ability  to  factor  n. 

§3.9 

The  notion  of  a hard  Boolean  predicate  (Definition  3.81)  was  introduced  by  Blum  and  Mi- 
cali  [166],  who  also  proved  Fact  3.84.  The  notion  of  a hard  fc-bit  predicate  (Definition  3.82) 
was  introduced  by  Long  and  Wigderson  [772],  who  also  proved  Fact  3.85;  see  also  Peralta 
[968],  Fact  3.83  is  due  to  Peralta  [968].  The  results  on  hard  predicates  and  fc-bit  predicates 
for  the  RSA  functions  (Facts  3.86  and  3.87)  are  due  to  Alexi  et  al.  [23].  Facts  3.88  and  3.89 
are  due  to  Vazirani  and  Vazirani  [1218]. 

Yao  [1258]  showed  how  any  one-way  length-preserving  permutation  can  be  transformed 
into  a more  complicated  one-way  length-preserving  permutation  which  has  a hard  predi- 
cate. Subsequently,  Goldreich  and  Levin  [471]  showed  how  any  one-way  function  / can  be 
transformed  into  a one-way  function  g which  has  a hard  predicate.  Their  construction  is  as 
follows.  Define  the  function  g by  g(p,x)  = (p, /(x)),  wherepis  abinary  string  of  the  same 
length  as  x , say  n.  Then  g is  also  a one-way  function  and  B{p,  x)  = Y^i= i Pixi  m°d  2 is 
a hard  predicate  for  g. 

Hastad,  Schrift,  and  Shamir  [543]  considered  the  one-way  function  /(x)  = ax  mod  n, 
where  n is  a Blum  integer  and  a G Z* . Under  the  assumption  that  factoring  Blum  integers 
is  intractable,  they  proved  that  all  the  bits  of  this  function  are  individually  hard.  Moreover, 
the  lower  half  as  well  as  the  upper  half  of  the  bits  are  simultaneously  secure. 

3.10 

The  subset  sum  problem  (Definition  3.90)  is  sometimes  confused  with  the  knapsack  prob- 
lem which  is  the  following:  given  two  sets  {ai,  02,  • ■ • , a„}  and  {61, 62, . . . , bn}  of  pos- 
itive integers,  and  given  two  positive  integers  s and  t,  determine  whether  or  not  there  is  a 
subset  S of  {1,  2, . . . , n}  such  that  ^2ieS  a*  < s and  Ylies  ^ — L The  subset  sum  prob- 
lem is  actually  a special  case  of  the  knapsack  problem  when  a,-  — b,  for  i — 1,2....  , n 
and  s = t.  Algorithm  3.94  is  described  by  Odlyzko  [941], 

The  L 3 -lattice  basis  reduction  algorithm  (Algorithm  3.101)  and  Fact  3.103  are  both  due  to 
Lenstra,  Lenstra,  and  Lovasz  [750].  Improved  algorithms  have  been  given  for  lattice  basis 
reduction,  for  example,  by  Schnorr  and  Euchner  [1099];  consult  also  Section  2.6  of  Cohen 
[263],  Algorithm  3. 105  for  solving  the  subset  sum  problem  involving  knapsacks  sets  of  low 
density  is  from  Coster  et  al.  [283],  Unusually  good  simultaneous  diophantine  approxima- 
tions were  first  introduced  and  studied  by  Lagarias  [723];  Fact  3.107  and  Algorithm  3.108 
are  from  this  paper. 

Handbook  of  Applied  Cryptography  by  A.  Menezes,  P.  van  Oorschot  and  S.  Vanstone. 


132 


Ch.  3 Number-Theoretic  Reference  Problems 


A readable  introduction  to  polynomial  factorization  algorithms  is  given  by  Lidl  and  Nieder- 
reiter  [764,  Chapter  4],  Algorithm  3.110  for  square-free  factorization  is  from  Geddes,  Cza- 
por,  and  Labahn  [445],  Yun  [1261]  presented  an  algorithm  that  is  more  efficient  than  Algo- 
rithm 3.110  for  finding  the  square-free  factorization  of  a polynomial.  The  running  time  of 
the  algorithm  is  only  0(n2)  Zp  -operations  when  f(x)  is  a polynomial  of  degree  n in  Zp[x\. 
A lucid  presentation  of  Yun’s  algorithm  is  provided  by  Bach  and  Shallit  [70].  Berlekamp’s 
Q -matrix  algorithm  (Algorithm  3.111)  was  first  discovered  by  Prange  [999]  for  the  purpose 
of  factoring  polynomials  of  the  form  xn  — 1 over  finite  fields.  The  algorithm  was  later  and 
independently  discovered  by  Berlekamp  [117]  who  improved  it  for  factoring  general  poly- 
nomials over  finite  fields. 

There  is  no  deterministic  polynomial-time  algorithm  known  for  the  problem  of  factoring 
polynomials  over  finite  fields.  There  are,  however,  many  efficient  randomized  algorithms 
that  work  well  even  when  the  underlying  field  is  very  large,  such  as  the  algorithms  given 
by  Ben-Or  [109],  Berlekamp  [119],  Cantor  and  Zassenhaus  [232],  and  Rabin  [1025],  For 
recent  work  along  these  lines,  see  von  zur  Gathen  and  Shoup  [1224],  as  well  as  Kaltofen 
and  Shoup  [658]. 
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4.1  Introduction 

The  efficient  generation  of  public-key  parameters  is  a prerequisite  in  public-key  systems. 
A specific  example  is  the  requirement  of  a prime  number  p to  define  a finite  field  Zp  for 
use  in  the  Diffie-Hellman  key  agreement  protocol  and  its  derivatives  (§12.6).  In  this  case, 
an  element  of  high  order  in  Z*  is  also  required.  Another  example  is  the  requirement  of 
primes  p and  q for  an  RSA  modulus  n — pq  (§8.2).  In  this  case,  the  prime  must  be  of 
sufficient  size,  and  be  “random”  in  the  sense  that  the  probability  of  any  particular  prime 
being  selected  must  be  sufficiently  small  to  preclude  an  adversary  from  gaining  advantage 
through  optimizing  a search  strategy  based  on  such  probability.  Prime  numbers  may  be 
required  to  have  certain  additional  properties,  in  order  that  they  do  not  make  the  associated 
cryptosystems  susceptible  to  specialized  attacks.  A third  example  is  the  requirement  of  an 
irreducible  polynomial  f(x)  of  degree  m over  the  finite  field  7LV  for  constructing  the  finite 
field  Fpm . In  this  case,  an  element  of  high  order  in  F*m  is  also  required. 


Chapter  outline 

The  remainder  of  §4. 1 introduces  basic  concepts  relevant  to  prime  number  generation  and 
summarizes  some  results  on  the  distribution  of  prime  numbers.  Probabilistic  primality  tests, 
the  most  important  of  which  is  the  Miller-Rabin  test,  are  presented  in  §4.2.  True  primality 
tests  by  which  arbitrary  integers  can  be  proven  to  be  prime  are  the  topic  of  §4.3;  since  these 
tests  are  generally  more  computationally  intensive  than  probabilistic  primality  tests,  they 
are  not  described  in  detail.  §4.4  presents  four  algorithms  for  generating  prime  numbers, 
strong  primes,  and  provable  primes.  §4.5  describes  techniques  for  constructing  irreducible 
and  primitive  polynomials,  while  §4.6  considers  the  production  of  generators  and  elements 
of  high  orders  in  groups.  §4.7  concludes  with  chapter  notes  and  references. 
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4.1.1  Approaches  to  generating  large  prime  numbers 

To  motivate  the  organization  of  this  chapter  and  introduce  many  of  the  relevant  concepts, 
the  problem  of  generating  large  prime  numbers  is  first  considered.  The  most  natural  method 
is  to  generate  a random  number  n of  appropriate  size,  and  check  if  it  is  prime.  This  can 
be  done  by  checking  whether  n is  divisible  by  any  of  the  prime  numbers  < rn.  While 
more  efficient  methods  are  required  in  practice,  to  motivate  further  discussion  consider  the 
following  approach: 

1.  Generate  as  candidate  a random  odd  number  n of  appropriate  size. 

2.  Test  n for  primality. 

3.  If  n is  composite,  return  to  the  first  step. 

A slight  modification  is  to  consider  candidates  restricted  to  some  search  sequence  start- 
ing from  n\  a trivial  search  sequence  which  may  be  used  is  n,  n + 2,  n + 4,  n + 6, . . . . Us- 
ing specific  search  sequences  may  allow  one  to  increase  the  expectation  that  a candidate  is 
prime,  and  to  find  primes  possessing  certain  additional  desirable  properties  a priori. 

In  step  2,  the  test  for  primality  might  be  either  a test  which  proves  that  the  candidate 
is  prime  (in  which  case  the  outcome  of  the  generator  is  called  a provable  prime),  or  a test 
which  establishes  a weaker  result,  such  as  that  n is  “probably  prime”  ( in  which  case  the  out- 
come of  the  generator  is  called  a probable  prime).  In  the  latter  case,  careful  consideration 
must  be  given  to  the  exact  meaning  of  this  expression.  Most  so-called  probabilistic  primal- 
ity tests  are  absolutely  correct  when  they  declare  candidates  n to  be  composite,  but  do  not 
provide  a mathematical  proof  that  n is  prime  in  the  case  when  such  a number  is  declared  to 
be  “probably”  so.  In  the  latter  case,  however,  when  used  properly  one  may  often  be  able  to 
draw  conclusions  more  than  adequate  for  the  purpose  at  hand.  For  this  reason,  such  tests  are 
more  properly  called  compositeness  tests  than  probabilistic  primality  tests.  True  primality 
tests,  which  allow  one  to  conclude  with  mathematical  certainty  that  a number  is  prime,  also 
exist,  but  generally  require  considerably  greater  computational  resources. 

While  (true)  primality  tests  can  determine  (with  mathematical  certainty)  whether  a typ- 
ically random  candidate  number  is  prime,  other  techniques  exist  whereby  candidates  n are 
specially  constructed  such  that  it  can  be  established  by  mathematical  reasoning  whether  a 
candidate  actually  is  prime.  These  are  called  constructive  prime  generation  techniques. 

A final  distinction  between  different  techniques  for  prime  number  generation  is  the  use 
of  randomness.  Candidates  are  typically  generated  as  a function  of  a random  input.  The 
technique  used  to  judge  the  primality  of  the  candidate,  however,  may  or  may  not  itself  use 
random  numbers.  If  it  does  not,  the  technique  is  deterministic,  and  the  result  is  reproducible; 
if  it  does,  the  technique  is  said  to  be  randomized.  Both  deterministic  and  randomized  prob- 
abilistic primality  tests  exist. 

In  some  cases,  prime  numbers  are  required  which  have  additional  properties.  For  ex- 
ample, to  make  the  extraction  of  discrete  logarithms  in  Z*  resistant  to  an  algorithm  due  to 
Pohlig  and  Heilman  (§3.6.4),  it  is  a requirement  that  p — 1 have  a large  prime  divisor.  Thus 
techniques  for  generating  public-key  parameters,  such  as  prime  numbers,  of  special  form 
need  to  be  considered. 


4.1.2  Distribution  of  prime  numbers 

Let  7 r(x)  denote  the  number  of  primes  in  the  interval  [2, The  prime  number  theorem 
(Fact  2.95)  states  that  7r(x)  ~ — In  other  words,  the  number  of  primes  in  the  interval 

1If  f(x)  and  g(x)  are  two  functions,  then  f(x)  ~ g{ x)  means  that  limjj._j.oo  = 1. 
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[2,  x ] is  approximately  equal  to  — The  prime  numbers  are  quite  uniformly  distributed,  as 
the  following  three  results  illustrate. 

4.1  Fact  (Dirichlet  theorem)  If  gcd(o,n)  = 1,  then  there  are  infinitely  many  primes  congruent 
to  a modulo  n. 

A more  explicit  version  of  Dirichlet’s  theorem  is  the  following. 


4.2  Fact  Let  7r(x,  n.  a)  denote  the  number  of  primes  in  the  interval  [2,  x ] which  are  congruent 
to  a modulo  n,  where  gcd(o,  n)  = 1.  Then 


7r(x,  n,  a)  ~ 


x 

4>(n)  In  x 


In  other  words,  the  prime  numbers  are  roughly  uniformly  distributed  among  the  <p(n)  con- 
gruence classes  in  Z* , for  any  value  of  n. 


4.3  Fact  (approximation  for  the  nth  prime  number)  Let  pn  denote  the  nth  prime  number.  Then 
pn  ~ nlnn.  More  explicitly, 

n In  n < pn  < nfln  ri  + In  In  n)  forn>6. 


4.2  Probabilistic  primaiity  tests 

The  algorithms  in  this  section  are  methods  by  which  arbitrary  positive  integers  are  tested  to 
provide  partial  information  regarding  their  primaiity.  More  specifically,  probabilistic  pri- 
maiity tests  have  the  following  framework.  For  each  odd  positive  integer  n,  a set  W ( n ) C 
Zn  is  defined  such  that  the  following  properties  hold: 

(i)  giveno  C Zn,  it  can  be  checked  in  deterministic  polynomial  time  whether  a G W(n); 

(ii)  if  n is  prime,  then  W ( n ) = 0 (the  empty  set);  and 

(iii)  if  n is  composite,  then  #W(n)  > j. 

4.4  Definition  If  n is  composite,  the  elements  of  Win)  are  called  witnesses  to  the  compos- 
iteness of  n.  and  the  elements  of  the  complementary  set  L[n)  = Z„  — W(n)  are  called 
liars. 

A probabilistic  primaiity  test  utilizes  these  properties  of  the  sets  W ( n ) in  the  following 
manner.  Suppose  that  n is  an  integer  whose  primaiity  is  to  be  determined.  An  integer  a £ 
Z„  is  chosen  at  random,  and  it  is  checked  if  a £ W(n).  The  test  outputs  “composite”  if 
aeW  ( n ),  and  outputs  “prime”  if  a W ( n ).  If  indeed  a £ W (n),  then  n is  said  to  fail  the 
primaiity  test  for  the  base  a;  in  this  case,  n is  surely  composite.  If  a Cf  W (n),  then  n is  said 
to  pass  the  primaiity  test  for  the  base  a;  in  this  case,  no  conclusion  with  absolute  certainty 
can  be  drawn  about  the  primaiity  of  n,  and  the  declaration  “prime”  may  be  incorrect.2 

Any  single  execution  of  this  test  which  declares  “composite”  establishes  this  with  cer- 
tainty. On  the  other  hand,  successive  independent  runs  of  the  test  all  of  which  return  the  an- 
swer “prime”  allow  the  confidence  that  the  input  is  indeed  prime  to  be  increased  to  whatever 
level  is  desired  — the  cumulative  probability  of  error  is  multiplicative  over  independent  tri- 
als. If  the  test  is  run  t times  independently  on  the  composite  number  n,  the  probability  that 
n is  declared  “prime”  all  t times  (i.e.,  the  probability  of  error)  is  at  most  (|)*. 

2This  discussion  illustrates  why  a probabilistic  primaiity  test  is  more  properly  called  a compositeness  test. 
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4.5  Definition  An  integer  n which  is  believed  to  be  prime  on  the  basis  of  a probabilistic  pri- 
mality  test  is  called  a probable  prime. 

Two  probabilistic  primality  tests  are  covered  in  this  section:  the  Solovay-Strassen  test 
(§4.2.2)  and  the  Miller-Rabin  test  (§4.2.3).  For  historical  reasons,  the  Fermat  test  is  first 
discussed  in  §4.2.1;  this  test  is  not  truly  a probabilistic  primality  test  since  it  usually  fails 
to  distinguish  between  prime  numbers  and  special  composite  integers  called  Carmichael 
numbers. 


4.2.1  Fermat’s  test 

Fermat’s  theorem  (Fact  2. 127)  asserts  that  if  is  a prime  and  o is  any  integer,  1 < a < n—  1, 
then  a"-1  = 1 (mod  n).  Therefore,  given  an  integer  n whose  primality  is  under  question, 
finding  any  integer  a in  this  interval  such  that  this  equivalence  is  not  true  suffices  to  prove 
that  n is  composite. 

4.6  Definition  Let  n be  an  odd  composite  integer.  An  integer  a,  1 < a < n — 1,  such  that 
an_1  ^ i (mocj  n)  js  called  a Fermat  witness  (to  compositeness)  for  n. 

Conversely,  finding  an  integer  a between  1 and  n 1 such  that  a"  1 = 1 (mod  n) 
makes  n appear  to  be  a prime  in  the  sense  that  it  satisfies  Fermat’s  theorem  for  the  base  a. 
This  motivates  the  following  definition  and  Algorithm  4.9. 

4.7  Definition  Let  n be  an  odd  composite  integer  and  let  a be  an  integer,  1 < a < n — 1. 
Then  n is  said  to  be  a pseudoprime  to  the  base  a if  a"-1  = 1 (mod  n).  The  integer  a is 
called  a Fermat  liar  (to  primality)  for  n. 

4.8  Example  ( pseudoprime ) The  composite  integer  n = 341  (=  11  x 31)  is  a pseudoprime 

to  the  base  2 since  2340  = 1 (mod  341).  □ 


4.9  Algorithm  Fermat  primality  test 
FERMAT(n,f) 

INPUT:  an  odd  integer  n > 3 and  security  parameter  t > 1. 

OUTPUT:  an  answer  “prime”  or  “composite”  to  the  question:  “Is  n prime?” 

1.  For  i from  1 to  t do  the  following: 

1.1  Choose  a random  integer  a,  2 < a < n — 2. 

1.2  Compute  r = a"-1  mod  n using  Algorithm  2.143. 

1.3  If  r ^ 1 then  return(“composite”). 

2.  Return(“prime”). 

If  Algorithm  4.9  declares  “composite”,  then  n is  certainly  composite.  On  the  other 
hand,  if  the  algorithm  declares  “prime”  then  no  proof  is  provided  that  n is  indeed  prime. 
Nonetheless,  since  pseudoprimes  for  a given  base  a are  known  to  be  rare,  Fermat’s  test 
provides  a correct  answer  on  most  inputs;  this,  however,  is  quite  distinct  from  providing 
a correct  answer  most  of  the  time  (e.g.,  if  run  with  different  bases)  on  every  input.  In  fact, 
it  does  not  do  the  latter  because  there  are  (even  rarer)  composite  numbers  which  are  pseu- 
doprimes to  every  base  a for  which  gcd(o,  n)  = 1. 
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4.10  Definition  A Carmichael  number  n is  a composite  integer  such  that  an  1 = 1 (mod  n) 
for  all  integers  a which  satisfy  gcd(o,  n)  = 1. 

If  n is  a Carmichael  number,  then  the  only  Fermat  witnesses  for  n are  those  integers 
a,  1 < a < n — 1,  for  which  gcd(a,  n)  > 1.  Thus,  if  the  prime  factors  of  n are  all  large, 
then  with  high  probability  the  Fermat  test  declares  that  n is  “prime”,  even  if  the  number  of 
iterations  t is  large.  This  deficiency  in  the  Fermat  test  is  removed  in  the  Solovay-Strassen 
and  Miller-Rabin  probabilistic  primaiity  tests  by  relying  on  criteria  which  are  stronger  than 
Fermat’s  theorem. 

This  subsection  is  concluded  with  some  facts  about  Carmichael  numbers.  If  the  prime 
factorization  of  n is  known,  then  Fact  4.1 1 can  be  used  to  easily  determine  whether  n is  a 
Carmichael  number. 

4.11  Fact  ( necessary  and  sufficient  conditions  for  Carmichael  numbers)  A composite  integer 
n is  a Carmichael  number  if  and  only  if  the  following  two  conditions  are  satisfied: 

(i)  n is  square-free,  i.e.,  n is  not  divisible  by  the  square  of  any  prime;  and 

(ii)  p — 1 divides  n — 1 for  every  prime  divisor  p of  n. 

A consequence  of  Fact  4.1 1 is  the  following. 

4.1 2 Fact  Every  Carmichael  number  is  the  product  of  at  least  three  distinct  primes. 

4.13  Fact  {bounds  for  the  number  of  Carmichael  numbers) 

(i)  There  are  an  infinite  number  of  Carmichael  numbers.  In  fact,  there  are  more  than 
n2/'  Carmichael  numbers  in  the  interval  [2,  n],  once  n is  sufficiently  large. 

(ii)  The  best  upper  bound  known  for  C(n),  the  number  of  Carmichael  numbers  < n,  is: 

C(n)  < nl-{l+o(l)}lnlnln«/  lnln«  for  n ->■  OO. 

The  smallest  Carmichael  number  is  n = 561  = 3 x 11  x 17.  Carmichael  numbers  are 
relatively  scarce;  there  are  only  105212  Carmichael  numbers  < 1015. 


4.2.2  Solovay-Strassen  test 

The  Solovay-Strassen  probabilistic  primaiity  test  was  the  first  such  test  popularized  by  the 
advent  of  public-key  cryptography,  in  particular  the  RS  A cryptosystem.  There  is  no  longer 
any  reason  to  use  this  test,  because  an  alternative  is  available  (the  Miller-Rabin  test)  which 
is  both  more  efficient  and  always  at  least  as  correct  (see  Note  4.33).  Discussion  is  nonethe- 
less included  for  historical  completeness  and  to  clarify  this  exact  point,  since  many  people 
continue  to  reference  this  test. 

Recall  (§2.4.5)  that  (-)  denotes  the  Jacobi  symbol,  and  is  equivalent  to  the  Legendre 
symbol  if  n is  prime.  The  Solovay-Strassen  test  is  based  on  the  following  fact. 

4.14  Fact  {Euler ’s  criterion)  Let  n be  an  odd  prime.  Then  al”-1)/2  = (-)  (mod  n)  for  all 
integers  a which  satisfy  gcd(o,  n)  = 1. 

Lact  4.14  motivates  the  following  definitions. 

4.15  Definition  Let  n be  an  odd  composite  integer  and  let  a be  an  integer,  1 < a < n — 1. 

(i)  If  either  gcd(o,  n)  > lor  qF1-1'/2  ^ (mod  n),  then  a is  called  an  Euler  witness 
(to  compositeness)  for  n. 
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(ii)  Otherwise,  i.e.,  if  gcd(a,  n)  = 1 and  afn_1)/2  = (£)  (mod  n ),  then  n is  said  to  be 
an  Euler  pseudoprime  to  the  base  a.  (That  is,  n acts  like  a prime  in  that  it  satisfies 
Euler’s  criterion  for  the  particular  base  a.)  The  integer  a is  called  an  Euler  liar  (to 
primality)  for  n. 

4.16  Example  ( Euler  pseudoprime ) The  composite  integer  91  (=  7 x 13)  is  an  Euler  pseudo- 
prime to  the  base  9 since  945  = 1 (mod  91)  and  (^-)  = 1.  □ 

Euler’s  criterion  (Fact  4. 14)  can  be  used  as  a basis  for  a probabilistic  primality  test  be- 
cause of  the  following  result. 

4.17  Fact  Let  n be  an  odd  composite  integer.  Then  at  most  <p(n) /2  of  all  the  numbers  a,  1 < 
a < n — 1,  are  Euler  liars  for  n (Definition  4.15).  Here,  (p  is  the  Euler  phi  function  (Defi- 
nition 2.100). 


4.18  Algorithm  Solovay-Strassen  probabilistic  primality  test 
S OLO  VAY-  S 1 R A S S EN  (n,t) 

INPUT:  an  odd  integer  n > 3 and  security  parameter  t > 1. 

OUTPUT:  an  answer  “prime”  or  “composite”  to  the  question:  “Is  n prime?” 

1.  For  i from  1 to  t do  the  following: 

1.1  Choose  a random  integer  a,  2 < a < n — 2. 

1.2  Compute  r = a)™-1)/2  mod  n using  Algorithm  2.143. 

1.3  If  r 1 and  r^n-1  then  return(  “composite”). 

1.4  Compute  the  Jacobi  symbol  s = (£)  using  Algorithm  2.149. 

1.5  If  r ^ s (mod  n)  then  return  (“composite”). 

2.  Return(“prime”). 


If  gcd(o,  n)  = d,  then  d is  a divisor  of  r = a("-1'/2  mod  n.  Hence,  testing  whether 
r ^ 1 is  step  1.3,  eliminates  the  necessity  of  testing  whether  gcd(o,n)  ^ 1.  If  Algo- 
rithm 4.18  declares  “composite”,  then  n is  certainly  composite  because  prime  numbers  do 
not  violate  Euler’s  criterion  (Fact  4.14).  Equivalently,  if  n is  actually  prime,  then  the  algo- 
rithm always  declares  “prime”.  On  the  other  hand,  if  n is  actually  composite,  then  since  the 
basesoinstep  1.1  are  chosen  independently  during  each  iteration  of  step  1,  Fact4.17canbe 
used  to  deduce  the  following  probability  of  the  algorithm  erroneously  declaring  “prime”. 

4.19  Fact  (Solovay-Strassen  error-probability  bound)  Let  n be  an  odd  composite  integer.  The 
probability  that  S OLO VAY-STR  A S S EN (n,t ) declares  n to  be  “prime”  is  less  than  ( -| ) ( . 


4.2.3  Miller-Rabin  test 

The  probabilistic  primality  test  used  most  in  practice  is  the  Miller-Rabin  test,  also  known 
as  the  strong  pseudoprime  test.  The  test  is  based  on  the  following  fact. 

4.20  Fact  Let  n be  an  odd  prime,  and  let  n 1 = 2sr  where  r is  odd.  Let  a be  any  integer 
such  that  gcd(o,  n)  = 1.  Then  either  ar  = 1 (mod  n)  or  a23r  = — 1 (mod  n)  for  some 
3,  0 < j < s - 1. 

Fact  4.20  motivates  the  following  definitions. 
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4.21  Definition  Let  n be  an  odd  composite  integer  and  let  n — 1 = 2sr  where  r is  odd.  Let  a 
be  an  integer  in  the  interval  [1,  n — 1]. 

(i)  If  ar  0 1 (mod  n)  and  if  o?3r  0 — 1 (mod  n)  for  all  j,  0 < j < s — 1,  then  a is 
called  a strong  witness  (to  compositeness)  for  n. 

(ii)  Otherwise,  i.e.,  if  either  ar  = 1 (mod  n)  or  a?lr  = — 1 (mod  n)  for  some  j,  0 < 
j < s — 1,  then  n is  said  to  be  a strong  pseudoprime  to  the  base  a.  (That  is,  n acts 
like  a prime  in  that  it  satisfies  Fact  4.20  for  the  particular  base  a.)  The  integer  a is 
called  a strong  liar  (to  primaiity)  for  n. 

4.22  Example  (strong  pseudoprime)  Consider  the  composite  integers  = 91  (=  7 x 13).  Since 
91  — 1 = 90  = 2 x 45,  s = 1 and  r = 45.  Since  9r  = 945  = 1 (mod  91),  91  is  a strong 
pseudoprime  to  the  base  9.  The  set  of  all  strong  liars  for  91  is: 

{1, 9, 10, 12, 16, 17, 22, 29, 38, 53, 62, 69,  74,  75,  79, 81, 82, 90}. 

Notice  that  the  number  of  strong  liars  for  91  is  18  = 0(91) / 4,  where  <j>  is  the  Euler  phi 
function  (cf.  Fact  4.23).  □ 

Fact  4.20  can  be  used  as  a basis  for  a probabilistic  primaiity  test  due  to  the  following  result. 

4.23  Fact  If  n is  an  odd  composite  integer,  then  at  most  | of  all  the  numbers  a,  1 < a < n — 1, 
are  strong  liars  for  n.  In  fact,  if  n f=-  9,  the  number  of  strong  liars  for  n is  at  most  <f>(n)/ 4, 
where  <f>  is  the  Euler  phi  function  (Definition  2.100). 


4.24  Algorithm  Miller-Rabin  probabilistic  primaiity  test 
MILLER-RABIN(n,t) 

INPUT:  an  odd  integer  n > 3 and  security  parameter  t > 1. 

OUTPUT:  an  answer  “prime”  or  “composite”  to  the  question:  “Is  n prime?” 

1.  Write  n 1 = 2 sr  such  that  r is  odd. 

2.  For  i from  1 to  t do  the  following: 

2.1  Choose  a random  integer  a,  2 < a < n — 2. 

2.2  Compute  y = ar  mod  n using  Algorithm  2.143. 

2.3  If  y f 1 and  y f n 1 then  do  the  following: 

3<~  1- 

While  j < s 1 and  y =/=■  n 1 do  the  following: 

Compute  y^y2  mod  n. 

If  y = 1 then  return( “composite”). 

J'V  J + L 

I ('  y y=-  n 1 then  return  (“composite”). 

3.  Return) “prime”). 


Algorithm  4.24  tests  whether  each  base  a satisfies  the  conditions  of  Definition  4.2  l(i). 
In  the  fifth  line  of  step  2.3,  if  y = 1,  then  o?3r  = 1 (mod  n).  Since  it  is  also  the  case  that 
a?3  lr  0 ±1  (mod  n),  it  follows  from  Fact  3.18  that  n is  composite  (in  fact  gcd(o2J  lr  — 
1,  n)  is  a non-trivial  factor  of  n).  In  the  seventh  line  of  step  2.3,  if  y ^ n 1,  then  a is  a 
strong  witness  for  n.  If  Algorithm  4.24  declares  “composite”,  then  n is  certainly  compos- 
ite because  prime  numbers  do  not  violate  Fact  4.20.  Equivalently,  if  n is  actually  prime, 
then  the  algorithm  always  declares  “prime”.  On  the  other  hand,  if  n is  actually  composite, 
then  Fact  4.23  can  be  used  to  deduce  the  following  probability  of  the  algorithm  erroneously 
declaring  “prime”. 
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4.25  Fact  ( Miller-Robin  error-probability  bound)  For  any  odd  composite  integer  n,  the  proba- 
bility that  M I LL ER - R A B IN (n.t ) declares  n to  be  “prime”  is  less  than  ( | ) ( . 

4.26  Remark  ( number  of  strong  liars)  For  most  composite  integers  n,  the  number  of  strong 
liars  for  n is  actually  much  smaller  than  the  upper  bound  of  (j>(n)/ 4 given  in  Fact  4.23. 
Consequently,  the  Miller-Rabin  error-probability  bound  is  much  smaller  than  (i)*  for  most 
positive  integers  n. 

4.27  Example  ( some  composite  integers  have  very  few  strong  liars)  The  only  strong  liars  for 
the  composite  integer  n = 105  (=3x5x7)  are  1 and  104.  More  generally,  if  k > 2 and 
n is  the  product  of  the  first  k odd  primes,  there  are  only  2 strong  liars  for  n,  namely  1 and 

n — 1.  □ 

4.28  Remark  (fixed  bases  in  Miller-Rabin)  If  oi  and  a 2 are  strong  liars  for  n,  their  product 
0102  is  very  likely,  but  not  certain,  to  also  be  a strong  liar  for  n.  A strategy  that  is  some- 
times employed  is  to  fix  the  bases  a in  the  Miller-Rabin  algorithm  to  be  the  first  few  primes 
(composite  bases  are  ignored  because  of  the  preceding  statement),  instead  of  choosing  them 
at  random. 

4.29  Definition  Let  pi,P2,  ■ ■ ■ ,Pt  denote  the  first  t primes.  Then  ibt  is  defined  to  be  the  small- 
est positive  composite  integer  which  is  a strong  pseudoprime  to  all  the  bases  Pi,P2,---  ,Pt- 

The  numbers  ipt  can  be  interpreted  as  follows:  to  determine  the  primality  of  any  integer 
n < ipt,  it  is  sufficient  to  apply  the  Miller-Rabin  algorithm  to  n with  the  bases  a being  the 
first  t prime  numbers.  With  this  choice  of  bases,  the  answer  returned  by  Miller-Rabin  is 
always  correct.  Table  4.1  gives  the  value  of  ipt  for  1 < t < 8. 


t 

ft 

~r 

2047 

2 

1373653 

3 

25326001 

4 

3215031751 

5 

2152302898747 

6 

3474749660383 

7 

341550071728321 

8 

341550071728321 

Table  4. 1:  Smallest  strong  pseudoprimes.  The  table  lists  values  of  ipt,  the  smallest  positive  composite 
integer  that  is  a strong  pseudoprime  to  each  of  the  first  t prime  bases,  for  1 <t  <8. 


4.2.4  Comparison:  Fermat,  Solovay-Strassen,  and  Miller-Rabin 

Fact  4.30  describes  the  relationships  between  Fermat  liars,  Euler  liars,  and  strong  liars  (see 
Definitions  4.7,  4.15,  and  4.21). 

4.30  Fact  Let  n be  an  odd  composite  integer. 

(i)  If  a is  an  Euler  liar  for  n,  then  it  is  also  a Fermat  liar  for  n. 

(ii)  If  a is  a strong  liar  for  n,  then  it  is  also  an  Euler  liar  for  n. 
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4.31  Example  ( Fermat , Euler,  strong  liars)  Consider  the  composite  integer  n = 65  (=  5 x 
13).  The  Fermat  liars  for  65  are  {1, 8, 12, 14, 18,  21, 27, 31, 34, 38, 44, 47,  51, 53,  57,  64}. 
The  Euler  liars  for  65  are  {1, 8, 14, 18, 47,  51, 57,  64},  while  the  strong  liars  for  65  are 
{1,8,18,47,57,64}.  □ 

For  a fixed  composite  candidate  n,  the  situation  is  depicted  in  Figure  4. 1 . This  set- 


Figure  4.1 : Relationships  between  Fermat,  Euler,  and  strong  liars  for  a composite  integer  n. 

ties  the  question  of  the  relative  accuracy  of  the  Fermat,  Solovay-Strassen,  and  Miller-Rabin 
tests,  not  only  in  the  sense  of  the  relative  correctness  of  each  test  on  a fixed  candidate  n,  but 
also  in  the  sense  that  given  n,  the  specified  containments  hold  for  each  randomly  chosen 
base  a.  Thus,  from  a correctness  point  of  view,  the  Miller-Rabin  test  is  never  worse  than  the 
Solovay-Strassen  test,  which  in  turn  is  never  worse  than  the  Fermat  test.  As  the  following 
result  shows,  there  are,  however,  some  composite  integers  n for  which  the  Solovay-Strassen 
and  Miller-Rabin  tests  are  equally  good. 

4.32  Fact  If  n = 3 (mod  4),  then  a is  an  Euler  liar  for  n if  and  only  if  it  is  a strong  liar  for  n. 

What  remains  is  a comparison  of  the  computational  costs.  While  the  Miller-Rabin  test 
may  appear  more  complex,  it  actually  requires,  at  worst,  the  same  amount  of  computation 
as  Fermat’s  test  in  terms  of  modular  multiplications;  thus  the  Miller-Rabin  test  is  better  than 
Fermat’s  test  in  all  regards.  At  worst,  the  sequence  of  computations  defined  in  MIFFER- 
RABIN(n,l)  requires  the  equivalent  of  computing  a1""  'T2  mod  n.  It  is  also  the  case  that 
MILLER-RABIN(n,l)  requires  less  computation  than  SOLOVAY-STRASSEN(«,  I ),  the 
latter  requiring  the  computation  of  cfn  l,/2  moci  n and  possibly  a further  Jacobi  symbol 
computation.  For  this  reason,  the  Solovay-Strassen  test  is  both  computationally  and  con- 
ceptually more  complex. 

4.33  Note  (Miller-Rabin  is  better  than  Solovay-Strassen)  In  summary,  both  the  Miller-Rabin 
and  Solovay-Strassen  tests  are  correct  in  the  event  that  either  their  input  is  actually  prime, 
or  that  they  declare  their  input  composite.  There  is,  however,  no  reason  to  use  the  Solovay- 
Strassen  test  (nor  the  Fermat  test)  over  the  Miller-Rabin  test.  The  reasons  for  this  are  sum- 
marized below. 

(i)  The  Solovay-Strassen  test  is  computationally  more  expensive. 

(ii)  The  Solovay-Strassen  test  is  harder  to  implement  since  it  also  involves  Jacobi  symbol 
computations. 

(iii)  The  error  probability  for  Solovay-Strassen  is  bounded  above  by  ( } ) * , while  the  error 
probability  for  Miller-Rabin  is  bounded  above  by  (|)*. 
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(iv)  Any  strong  liar  for  n is  also  an  Euler  liar  for  n.  Hence,  from  a correctness  point  of 
view,  the  Miller-Rabin  test  is  never  worse  than  the  Solovay-Strassen  test. 


4.3  (True)  Primality  tests 

The  primality  tests  in  this  section  are  methods  by  which  positive  integers  can  be  proven 
to  be  prime,  and  are  often  referred  to  as  primality  proving  algorithms.  These  primality 
tests  are  generally  more  computationally  intensive  than  the  probabilistic  primality  tests  of 
§4.2.  Consequently,  before  applying  one  of  these  tests  to  a candidate  prime  n,  the  candidate 
should  be  subjected  to  a probabilistic  primality  test  such  as  Miller-Rabin  (Algorithm  4.24). 

4.34  Definition  An  integer  n which  is  determined  to  be  prime  on  the  basis  of  a primality  prov- 
ing algorithm  is  called  a provable  prime. 


4.3.1  Testing  Mersenne  numbers 

Efficient  algorithms  are  known  for  testing  primality  of  some  special  classes  of  numbers, 
such  as  Mersenne  numbers  and  Fermat  numbers.  Mersenne  primes  n are  useful  because 
the  arithmetic  in  the  field  Z?J  for  such  n can  be  implemented  very  efficiently  (see  §14.3.4). 
The  Lucas-Lehmer  test  for  Mersenne  numbers  (Algorithm  4.37)  is  such  an  algorithm. 

4.35  Definition  Let  s > 2 be  an  integer.  A Mersenne  number  is  an  integer  of  the  form  2s  — 1. 
If  2s  — 1 is  prime,  then  it  is  called  a Mersenne  prime. 

The  following  are  necessary  and  sufficient  conditions  for  a Mersenne  number  to  be  prime. 

4.36  Fact  Let  .s  > 3.  The  Mersenne  number  n = 2s  — 1 is  prime  if  and  only  if  the  following 
two  conditions  are  satisfied: 

(i)  s is  prime;  and 

(ii)  the  sequence  of  integers  defined  by  uq  = 4 and  Uk+i  = (w|  — 2)  mod  n for  fc  > 0 
satisfies  ws_2  = 0. 

Fact  4.36  leads  to  the  following  deterministic  polynomial-time  algorithm  for  determin- 
ing (with  certainty)  whether  a Mersenne  number  is  prime. 


4.37  Algorithm  Lucas-Lehmer  primality  test  for  Mersenne  numbers 
INPUT:  a Mersenne  number  n = 2s  — 1 with  s > 3. 

OUTPUT:  an  answer  “prime”  or  “composite”  to  the  question:  “Is  n prime?” 

1.  Use  trial  division  to  check  if  s has  any  factors  between  2 and  [ TJ.  If  it  does,  then 
return! “composite”). 

2.  Set  ui — 4. 

3.  For  k from  1 to  s — 2 do  the  following:  compute  w-*— (w2  — 2)  mod  n. 

4.  If  u = 0 then  re  turn(  “prime”).  Otherwise,  re  turn)  “composite”). 


It  is  unknown  whether  there  are  infinitely  many  Mersenne  primes.  Table  4.2  lists  the 
33  known  Mersenne  primes. 
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Index 

j 

Mj 

decimal 

digits 

1 

2 

1 

2 

3 

1 

3 

5 

2 

4 

7 

3 

5 

13 

4 

6 

17 

6 

7 

19 

6 

8 

31 

10 

9 

61 

19 

10 

89 

27 

11 

107 

33 

12 

127 

39 

13 

521 

157 

14 

607 

183 

15 

1279 

386 

16 

2203 

664 

17 

2281 

687 

Index 

j 

Mj 

decimal 

digits 

18 

3217 

969 

19 

4253 

1281 

20 

4423 

1332 

21 

9689 

2917 

22 

9941 

2993 

23 

11213 

3376 

24 

19937 

6002 

25 

21701 

6533 

26 

23209 

6987 

27 

44497 

13395 

28 

86243 

25962 

29 

110503 

33265 

30 

132049 

39751 

31 

216091 

65050 

32? 

756839 

227832 

33? 

859433 

258716 

Table  4.2:  Known  Mersenne  primes.  The  table  shows  the  33  known  exponents  Mj,  1 < j < 33,  for 
which  2Mj  — 1 is  a Mersenne  prime,  and  also  the  number  of  decimal  digits  in  2Mi  — 1.  The  question 
marks  after  j = 32  and  j = 33  indicate  that  it  is  not  known  whether  there  are  any  other  exponents  s 
between  M31  and  these  numbers  for  which  2s  — 1 is  prime. 


4.3.2  Primality  testing  using  the  factorization  of  n - 1 

This  section  presents  results  which  can  be  used  to  prove  that  an  integer  n is  prime,  provided 
that  the  factorization  or  a partial  factorization  of  n — 1 is  known.  It  may  seem  odd  to  consider 
a technique  which  requires  the  factorization  of  n — 1 as  a subproblem  — if  integers  of  this 
size  can  be  factored,  the  primality  of  n itself  could  be  determined  by  factoring  n.  However, 
the  factorization  of  n 1 may  be  easier  to  compute  if  n has  a special  form,  such  as  a Fermat 
number  n = 22  +1.  Another  situation  where  the  factorization  of  n 1 may  be  easy  to 
compute  is  when  the  candidate  n is  “constructed”  by  specific  methods  (see  §4.4.4). 

4.38  Fact  Let  n > 3 be  an  integer.  Then  n is  prime  if  and  only  if  there  exists  an  integer  a 
satisfying: 

(i)  a n~1  = 1 (mod  n);  and 

(ii)  a(n~1'l/q  1 (mod  n)  for  each  prime  divisor  q of  n — 1. 

This  result  follows  from  the  fact  that  Z*  has  an  element  of  order  n — 1 (Definition  2.128) 
if  and  only  if  n is  prime;  an  element  a satisfying  conditions  (i)  and  (ii)  has  order  n — 1. 

4.39  Note  ( primality  test  based  on  Fact  4.38)  If  n is  a prime,  the  number  of  elements  of  order 
n — 1 is  precisely  <p(n  — 1).  Hence,  to  prove  a candidate  n prime,  one  may  simply  choose 
an  integer  a £ Zn  at  random  and  uses  Fact  4.38  to  check  if  a has  order  n — 1.  If  this  is 
the  case,  then  n is  certainly  prime.  Otherwise,  another  a £ Zn  is  selected  and  the  test  is 
repeated.  If  n is  indeed  prime,  the  expected  number  of  iterations  before  an  element  a of 
order  n — 1 is  selected  is  O(lnlnn);  this  follows  since  (n  — 1 )/<p(n  — 1)  < 6 In  Inn  for 
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n > 5 (Fact  2.102).  Thus,  if  such  an  a is  not  found  after  a “reasonable”  number  (for  ex- 
ample, 12  In  In  n ) of  iterations,  then  n is  probably  composite  and  should  again  be  subjected 
to  a probabilistic  primality  test  such  as  Miller-Rabin  (Algorithm  4.24). 3 This  method  is,  in 
effect,  a probabilistic  compositeness  test. 

The  next  result  gives  a method  for  proving  primality  which  requires  knowledge  of  only 
a partial  factorization  of  n — 1. 

4.40  Fact  ( Pocklington ’s  theorem ) Let  n > 3 he  an  integer,  and  let  n — RF  + 1 (i.e.  F divides 
n — 1)  where  the  prime  factorization  of  F is  A — ] ['■  1 q.3 . If  there  exists  an  integer  a 
satisfying: 

(i)  a"-1  = 1 (mod  n)\  and 

(ii)  gcdfa1”  — l,n)  = 1 for  each  j,  1 < j < t, 

then  every  prime  divisor  p of  n is  congruent  to  1 modulo  F.  It  follows  that  iLF  > rn  — 1, 
then  n is  prime. 

If  n is  indeed  prime,  then  the  following  result  establishes  that  most  integers  a satisfy 
conditions  (i)  and  (ii)  of  Fact  4.40,  provided  that  the  prime  divisors  of  F > 'n  — 1 are 
sufficiently  large. 

4.41  Fact  Let  n = RF  + 1 be  an  odd  prime  with  F > 'n  — 1 and  gcd(/i.  F)  = 1.  Let  the 

distinct  prime  factors  of  F be  qi,  q2, . . . ,qt-  Then  the  probability  that  a randomly  selected 
base  a,  1 < a < n — 1,  satisfies  both:  (i)  a"-1  = 1 (mod  n);  and  (ii)  gcd(a.(”_1'/^  — 
l,n)  = 1 for  each  j,  1 < j < t,  is  “ l/«j)  > 1 “ E*_i 

Thus,  if  the  factorization  of  a divisor  F > 'n  — 1 of  n — 1 is  known  then  to  test  n for 
primality,  one  may  simply  choose  random  integers  a in  the  interval  2 , n — 2]  until  one  is 
found  satisfying  conditions  (i)  and  (ii)  of  Fact  4.40,  implying  that  n is  prime.  If  such  an  a 
is  not  found  after  a “reasonable”  number  of  iterations,4  then  n is  probably  composite  and 
this  could  be  established  by  subjecting  it  to  a probabilistic  primality  test  (footnote  3 also 
applies  here).  This  method  is,  in  effect,  a probabilistic  compositeness  test. 

The  next  result  gives  a method  for  proving  primality  which  only  requires  the  factoriza- 
tion of  a divisor  F of  n — 1 that  is  greater  than  3 'n.  For  an  example  of  the  use  of  Fact  4.42, 
see  Note  4.63. 

4.42  Fact  Let  n > 3 be  an  odd  integer.  Let  n = 2 RF  + 1,  and  suppose  that  there  exists  an 
integer  a satisfying  both:  (i)  a"-1  = 1 (mod  n);  and  (ii)  gcd(a(?l_1^IJ  — 1 ,n)  = 1 for 
each  prime  divisor  q of  F.  Let  x > 0 and  y be  defined  by  2 R = xF  + y and  0 < y < F. 
If  F > 3 'n  and  if  y 2 — lx  is  neither  0 nor  a perfect  square,  then  n is  prime. 


4.3.3  Jacobi  sum  test 

The  Jacobi  sum  test  is  another  true  primality  test.  The  basic  idea  is  to  test  a set  of  con- 
gruences which  are  analogues  of  Fermat’s  theorem  (Fact  2.127(i))  in  certain  cyclotomic 
rings.  The  running  time  of  the  Jacobi  sum  test  for  determining  the  primality  of  an  integer 
n is  0((ln?r)clnlnln")  bit  operations  for  some  constant  c.  This  is  “almost”  a polynomial- 
time algorithm  since  the  exponent  In  In  In  n acts  like  a constant  for  the  range  of  values  for 

3 Another  approach  is  to  run  both  algorithms  in  parallel  (with  an  unlimited  number  of  iterations),  until  one  of 
them  stops  with  a definite  conclusion  “prime”  or  “composite”. 

4 The  number  of  iterations  may  be  taken  to  be  T where  PT  < ( ^ ) 100 , and  where  P = 1 — =1  (1  — 1 /qj). 
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n of  interest.  For  example,  if  n < 2512,  then  In  lnln  n < 1.78.  The  version  of  the  Ja- 
cobi sum  primality  test  used  in  practice  is  a randomized  algorithm  which  terminates  within 
0(fc(lnn)clnlnln")  steps  with  probability  at  least  1 — (1)^'  for  every  k > 1,  and  always 
gives  a correct  answer.  One  drawback  of  the  algorithm  is  that  it  does  not  produce  a “certifi- 
cate” which  would  enable  the  answer  to  be  verified  in  much  shorter  time  than  running  the 
algorithm  itself. 

The  Jacobi  sum  test  is,  indeed,  practical  in  the  sense  that  the  primality  of  numbers  that 
are  several  hundred  decimal  digits  long  can  be  handled  in  just  a few  minutes  on  a com- 
puter. However,  the  test  is  not  as  easy  to  program  as  the  probabilistic  Miller-Rabin  test 
(Algorithm  4.24),  and  the  resulting  code  is  not  as  compact.  The  details  of  the  algorithm  are 
complicated  and  are  not  given  here;  pointers  to  the  literature  are  given  in  the  chapter  notes 
on  page  166. 


4.3.4  Tests  using  elliptic  curves 

Elliptic  curve  primality  proving  algorithms  are  based  on  an  elliptic  curve  analogue  of  Pock- 
lington's  theorem  (Fact  4.40).  The  version  of  the  algorithm  used  in  practice  is  usually  re- 
ferred to  as  Atkin ’s  test  or  the  Elliptic  Curve  Primality  Proving  algorithm  (ECPP).  Under 
heuristic  arguments,  the  expected  running  time  of  this  algorithm  for  proving  the  primality 
of  an  integer  n has  been  shown  to  be  0((ln  n)6+e)  bit  operations  for  any  e > 0.  Atkin's 
test  has  the  advantage  over  the  Jacobi  sum  test  (§4.3.3)  that  it  produces  a short  certificate  of 
primality  which  can  be  used  to  efficiently  verify  the  primality  of  the  number.  Atkin’s  test 
has  been  used  to  prove  the  primality  of  numbers  more  than  1000  decimal  digits  long. 

The  details  of  the  algorithm  are  complicated  and  are  not  presented  here;  pointers  to  the 
literature  are  given  in  the  chapter  notes  on  page  166. 


4.4  Prime  number  generation 

This  section  considers  algorithms  for  the  generation  of  prime  numbers  for  cryptographic 
purposes.  Four  algorithms  are  presented:  Algorithm  4.44  for  generating  probable  primes 
(see  Definition  4.5),  Algorithm  4.53  for  generating  strong  primes  (see  Definition  4.52),  Al- 
gorithm 4.56  for  generating  probable  primes  p and  q suitable  for  use  in  the  Digital  Signature 
Algorithm  ( DS  A),  and  Algorithm  4.62  for  generating  provable  primes  (see  Definition  4.34). 

4.43  Note  ( prime  generation  vs.  primality  testing)  Prime  number  generation  differs  from  pri- 
mality testing  as  described  in  §4.2  and  §4.3,  but  may  and  typically  does  involve  the  latter. 
The  former  allows  the  construction  of  candidates  of  a fixed  form  which  may  lead  to  more 
efficient  testing  than  possible  for  random  candidates. 


4.4.1  Random  search  for  probable  primes 

By  the  prime  number  theorem  (Fact  2.95),  the  proportion  of  (positive)  integers  < x that 
are  prime  is  approximately  1 / In  an  Since  half  of  all  integers  < x are  even,  the  proportion 
of  odd  integers  < x that  are  prime  is  approximately  2/  In  x.  For  instance,  the  proportion 
of  all  odd  integers  < 2512  that  are  prime  is  approximately  2/(512  ■ ln(2))  « 1/177.  This 
suggests  that  a reasonable  strategy  for  selecting  a random  fc-bit  (probable)  prime  is  to  re- 
peatedly pick  random  A; -bit  odd  integers  n until  one  is  found  that  is  declared  to  be  “prime” 
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by  MILLER  -RAB  IN(n  ,i ) (Algorithm  4.24)  for  an  appropriate  value  of  the  security  param- 
eter t (discussed  below). 

If  a random  k- bit  odd  integer  n is  divisible  by  a small  prime,  it  is  less  computationally 
expensive  to  rule  out  the  candidate  n by  trial  division  than  by  using  the  Miller-Rabin  test. 
Since  the  probability  that  a random  integer  n has  a small  prime  divisor  is  relatively  large, 
before  applying  the  Miller-Rabin  test,  the  candidate  n should  be  tested  for  small  divisors 
below  a pre-determined  bound  B.  This  can  be  done  by  dividing  n by  all  the  primes  below 
B,  or  by  computing  greatest  common  divisors  of  n and  (pre -computed)  products  of  several 
of  the  primes  < B.  The  proportion  of  candidate  odd  integers  n not  ruled  out  by  this  trial 
division  is  ri3<p<.B(l~  p)  which,  by  Mertens's  theorem,  is  approximately  1.12/  Ini?  (here 
p ranges  over  prime  values).  For  example,  if  B = 256,  then  only  20%  of  candidate  odd 
integers  n pass  the  trial  division  stage,  i.e.,  80%  are  discarded  before  the  more  costly  Miller- 
Rabin  test  is  performed. 


4.44  Algorithm  Random  search  for  a prime  using  the  Miller-Rabin  test 
RANDOM-SEARCH  (k,t) 

INPUT:  an  integer  k , and  a security  parameter  t (cf.  Note  4.49). 

OUTPUT:  a random  /c-bit  probable  prime. 

1 . Generate  an  odd  fc-bit  integer  n at  random. 

2.  Use  trial  division  to  determine  whether  n is  divisible  by  any  odd  prime  < B (see 
Note  4.45  for  guidance  on  selecting  B ).  If  it  is  then  go  to  step  1. 

3.  If  MILLER-RABIN(n,f ) (Algorithm  4.24)  outputs  “prime”  then  return(n). 
Otherwise,  go  to  step  1 . 


4.45  Note  ( optimal  trial  division  bound  B ) Let  E denote  the  time  for  a full  fc-bit  modular  ex- 
ponentiation, and  let  D denote  the  time  required  for  ruling  out  one  small  prime  as  divisor 
of  a It -bit  integer.  (The  values  E and  D depend  on  the  particular  implementation  of  long- 
integer  arithmetic.)  Then  the  trial  division  bound  B that  minimizes  the  expected  running 
time  of  Algorithm  4.44  for  generating  a &-bit  prime  is  roughly  B = E/D.  A more  accurate 
estimate  of  the  optimum  choice  for  B can  be  obtained  experimentally.  The  odd  primes  up 
to  B can  be  precomputed  and  stored  in  a table.  If  memory  is  scarce,  a value  of  B that  is 
smaller  than  the  optimum  value  may  be  used. 

Since  the  Miller-Rabin  test  does  not  provide  a mathematical  proof  that  a number  is  in- 
deed prime,  the  number  n returned  by  Algorithm  4.44  is  a probable  prime  (Definition  4.5). 
It  is  important,  therefore,  to  have  an  estimate  of  the  probability  that  n is  in  fact  composite. 

4.46  Definition  The  probability  that  RANDOM-SEARCH(fc,f)  (Algorithm  4.44)  returns  a 
composite  number  is  denoted  by  pf.tt. 

4.47  Note  ( remarks  on  estimating  pi-j)  It  is  tempting  to  conclude  directly  from  Fact  4.25  that 
Pk,t  < (j)4-  This  reasoning  is  flawed  (although  typically  the  conclusion  will  be  correct  in 
practice)  since  it  does  not  take  into  account  the  distribution  of  the  primes.  (For  example,  if 
all  candidates  n were  chosen  from  a set  S of  composite  numbers,  the  probability  of  error  is 
1.)  The  following  discussion  elaborates  on  this  point.  Let  X represent  the  event  that  n is 
composite,  and  let  Yt  denote  the  event  than  M I LLE R - R A B I N (n , t ) declares  n to  be  prime. 
Then  Fact  4.25  states  that  P(Yt\X)  < ( / ) 1 . What  is  relevant,  however,  to  the  estimation  of 
pf-i  is  the  quantity  P(X\Yt).  Suppose  that  candidates  n are  drawn  uniformly  and  randomly 
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from  a set  S of  odd  numbers,  and  suppose  p is  the  probability  that  n is  prime  (this  depends 
on  the  candidate  set , S').  Assume  also  that  0 < p < 1.  Then  by  Bayes’  theorem  (Fact  2.10): 


P(X\Yt) 


P(X)P(Yt\X)  P{Yt \X)  1 /I  y 

P(Yt)  ~ P(Yt ) - p \4J  ’ 


since  P(Yt)  > p.  Thus  the  probability  P(X\Yt)  may  be  considerably  larger  than  (I)4  if  _p  is 
small.  However,  the  error-probability  of  Miller-Rabin  is  usually  far  smaller  than  (|)*  (see 
Remark  4.26).  Using  better  estimates  for  P(Yt\X)  and  estimates  on  the  number  of  /.-bit 
prime  numbers,  it  has  been  shown  thatpfc.*  is,  in  fact,  smaller  than  (|)*  for  all  sufficiently 
large  k.  A more  concrete  result  is  the  following:  if  candidates  n are  chosen  at  random  from 
the  set  of  odd  numbers  in  the  interval  [3,  x ],  then  P(X\Yt)  < (!)*  for  all  x > 1060. 


Further  refinements  for  P(Yt\X)  allow  the  following  explicit  upper  bounds  on  pk.t  for 
various  values  of  k and  t.  5 


4.48  Fact  ( some  upper  bounds  on  pk}t  in  Algorithm  4.44) 

(i)  Pk, l < k242~  k for  k > 2. 

(ii)  pKt  < k^22H-^H2~  ^ for  (t  = 2 ,k>  88)  or  (3  < t < k/ 9,  k > 21). 

(iii)  Pk,t  < + jk15/4 2-fc/2-2t  + 12fc2  3i  for/c/9  < t < k/ 4,  k > 21. 

(iv)  pkit  < \ fci5/42-fc/2-2t  for  t > k/ 4,  k > 21. 

For  example,  if  k = 512  and  t = 6,  then  Fact  4.48(ii)  gives  psi2,6  < (|)88-  In  other 
words,  the  probability  that  RANDOM-SEARCH(  5 12,6)returns  a 5 12-bit  composite  integer 
is  less  than  (|)88.  Using  more  advanced  techniques,  the  upper  bounds  on  given  by 
Fact  4.48  have  been  improved.  These  upper  bounds  arise  from  complicated  formulae  which 
are  not  given  here.  Table  4.3  lists  some  improved  upper  bounds  on  pk.t  for  some  sample 
values  of  k and  t.  As  an  example,  the  probability  that  RANDOM-SEARCH( 500,6)  returns 
a composite  number  is  < (I)92-  Notice  that  the  values  of  p^t  implied  by  the  table  are 
considerably  smaller  than  (|)(  = (|)2t. 


k 

! t 1 

i 

2 

3 

4 

5 

6 

7 

8 

9 

10 

100 

5 

14 

20 

25 

29 

33 

36 

39 

41 

44 

150 

8 

20 

28 

34 

39 

43 

47 

51 

54 

57 

200 

11 

25 

34 

41 

47 

52 

57 

61 

65 

69 

250 

14 

29 

39 

47 

54 

60 

65 

70 

75 

79 

300 

19 

33 

44 

53 

60 

67 

73 

78 

83 

88 

350 

28 

38 

48 

58 

66 

73 

80 

86 

91 

97 

400 

37 

46 

55 

63 

72 

80 

87 

93 

99 

105 

450 

46 

54 

62 

70 

78 

85 

93 

100 

106 

112 

500 

56 

63 

70 

78 

85 

92 

99 

106 

113 

119 

550 

65 

72 

79 

86 

93 

100 

107 

113 

119 

126 

600 

75 

82 

88 

95 

102 

108 

115 

121 

127 

133 

Table  4.3:  Upper  bounds  on  pk,t  for  sample  values  ofk  and  t.  An  entry  j corresponding  to  k and  t 
implies . 


®The  estimates  of  p/..  / presented  in  the  remainder  of  this  subsection  were  derived  for  the  situation  where  Al- 
gorithm  4.44  does  not  use  trial  division  by  small  primes  to  rule  out  some  candidates  n.  Since  trial  division  never 
rules  out  a prime,  it  can  only  give  a better  chance  of  rejecting  composites.  Thus  the  error  probability  p ^ ^ might 
actually  be  even  smaller  than  the  estimates  given  here. 
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4.49  Note  ( controlling  the  error  probability ) In  practice,  one  is  usually  willing  to  tolerate  an  er- 
ror probability  of  (|)80  when  using  Algorithm  4.44  to  generate  probable  primes.  For  sam- 
ple values  of  k,  Table  4.4  lists  the  smallest  value  of  t that  can  be  derived  from  Fact  4.48 
for  which  pk}t  < (5)80.  F°r  example,  when  generating  1000-bit  probable  primes,  Miller- 
Rabin  with  / — 3 repetitions  suffices.  Algorithm  4.44  rules  out  most  candidates  n either 
by  trial  division  (in  step  2)  or  by  performing  just  one  iteration  of  the  Miller-Rabin  test  (in 
step  3).  For  this  reason,  the  only  effect  of  selecting  a larger  security  parameter  t on  the  run- 
ning time  of  the  algorithm  will  likely  be  to  increase  the  time  required  in  the  final  stage  when 
the  (probable)  prime  is  chosen. 


k 

t 

500 

“6“ 

550 

5 

600 

5 

650 

4 

700 

4 

750 

4 

800 

4 

850 

3 

k 

t 

1700 

~2~ 

1750 

2 

1800 

2 

1850 

2 

1900 

2 

1950 

2 

2000 

2 

2050 

2 

k 

t 

1300 

— 

1350 

2 

1400 

2 

1450 

2 

1500 

2 

1550 

2 

1600 

2 

1650 

2 

k 

t 

900 

~T~ 

950 

3 

1000 

3 

1050 

3 

1100 

3 

1150 

3 

1200 

3 

1250 

3 

k 

t 

100 

27 

150 

18 

200 

15 

250 

12 

300 

9 

350 

8 

400 

7 

450 

6 

Table  4.4:  For  sample  k,  the  smallest  tfrom  Fact  4.48  is  given  for  which  pk,t  % (|)80. 


4.50  Remark  ( Miller-Rabin  test  with  base  a = 2)  The  Miller-Rabin  test  involves  exponenti- 
ating the  base  a;  this  may  be  performed  using  the  repeated  square-and-multiply  algorithm 
(Algorithm  2.143).  If  a = 2,  then  multiplication  by  a is  a simple  procedure  relative  to  mul- 
tiplying by  a in  general.  One  optimization  of  Algorithm  4.44  is,  therefore,  to  fix  the  base 
o = 2 when  first  performing  the  Miller-Rabin  test  in  step  3.  Since  most  composite  numbers 
will  fail  the  Miller-Rabin  test  with  base  a = 2,  this  modification  will  lower  the  expected 
running  time  of  Algorithm  4.44. 

4.51  Note  ( incremental  search ) 

(i)  An  alternative  technique  to  generating  candidates  n at  random  in  step  1 of  Algo- 
rithm 4.44  is  to  first  select  a random  A;-bit  odd  number  n0,  and  then  test  the  s numbers 
n = n0,  n0  + 2,  n0  + 4, . . . ,n0  + 2 (s  — 1)  for  primality.  If  all  these  s candidates  are 
found  to  be  composite,  the  algorithm  is  said  to  have,  failed.  If  .s  = c ■ In  2fc  where  c is  a 
constant,  the  probability  that  this  incremental  search  variant  of  Algorithm  4.44 
returns  a composite  number  has  been  shown  to  be  less  than  Sk3 2~  k for  some  con- 
stant 6.  Table  4.5  gives  some  explicit  bounds  oil  this  error  probability  for  k = 500  and 
t < 10.  Under  reasonable  number-theoretic  assumptions,  the  probability  of  the  algo- 
rithm failing  has  been  shown  to  be  less  than  2c  2c  for  large  k (here,  e « 2.71828). 

(ii)  Incremental  search  has  the  advantage  that  fewer  random  bits  are  required.  Further- 
more, the  trial  division  by  small  primes  in  step  2 of  Algorithm  4.44  can  be  accom- 
plished very  efficiently  as  follows.  First  the  values  R[p\  = n0  mod  p are  computed 
for  each  odd  prime  p < B.  Each  time  2 is  added  to  the  current  candidate,  the  values 
in  the  table  R are  updated  as  R\p\  <—  (i?[p]  + 2)  mod  p.  The  candidate  passes  the  trial 
division  stage  if  and  only  if  none  of  the  R\p]  values  equal  0. 

(iii)  If  B is  large,  an  alternative  method  for  doing  the  trial  division  is  to  initialize  a table 

for  0 < i < (s  — 1);  the  entry  S[i]  corresponds  to  the  candidate  n0  + 2 i. 
For  each  odd  prime  p < B,  n0  mod  p is  computed.  Let  j be  the  smallest  index  for 
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c 

i < ! 

i 

2 

3 

4 

5 

6 

7 

8 

9 

10 

1 

17 

37 

51 

63 

72 

81 

89 

96 

103 

110 

5 

13 

32 

46 

58 

68 

77 

85 

92 

99 

105 

10 

11 

30 

44 

56 

66 

75 

83 

90 

97 

103 

Table  4.5:  Upper  bounds  on  the  error  probability  of  incremental  search  ( Note  4.51)  for  k = 500 
and  sample  values  of  c and  t.  An  entry  j corresponding  to  c and  t implies  qsoo  t s < (§)■*,  where 
s = c-  ln2500. 


which  (no  + 2 j)  = 0 (mod  p).  Then  S[j]  and  each  pth  entry  after  it  are  set  to  1.  A 
candidate  no  + 2 i then  passes  the  trial  division  stage  if  and  only  if  S[i]  = 0.  Note 
that  the  estimate  for  the  optimal  trial  division  bound  B given  in  Note  4.45  does  not 
apply  here  (nor  in  (ii))  since  the  cost  of  division  is  amortized  over  all  candidates. 


4.4.2  Strong  primes 

The  RSA  cryptosystem  (§8.2)  uses  a modulus  of  the  form  n = pq , where  p and  q are  dis- 
tinct odd  primes.  The  primes  p and  q must  be  of  sufficient  size  that  factorization  of  their 
product  is  beyond  computational  reach.  Moreover,  they  should  be  random  primes  in  the 
sense  that  they  be  chosen  as  a function  of  a random  input  through  a process  defining  a pool 
of  candidates  of  sufficient  cardinality  that  an  exhaustive  attack  is  infeasible.  In  practice,  the 
resulting  primes  must  also  be  of  a pre-determined  bitlength,  to  meet  system  specifications. 
The  discovery  of  the  RSA  cryptosystem  led  to  the  consideration  of  several  additional  con- 
straints on  the  choice  of  p and  q which  are  necessary  to  ensure  the  resulting  RSA  system  safe 
from  cryptanalytic  attack,  and  the  notion  of  a strong  prime  (Definition  4.52)  was  defined. 
These  attacks  are  described  at  length  in  Note  8.8(iii);  as  noted  there,  it  is  now  believed  that 
strong  primes  offer  little  protection  beyond  that  offered  by  random  primes,  since  randomly 
selected  primes  of  the  sizes  typically  used  in  RSA  moduli  today  will  satisfy  the  constraints 
with  high  probability.  On  the  other  hand,  they  are  no  less  secure,  and  require  only  minimal 
additional  running  time  to  compute;  thus,  there  is  little  real  additional  cost  in  using  them. 

4.52  Definition  A prime  number  p is  said  to  be  a strong  prime  if  integers  r,  s,  and  t exist  such 
that  the  following  three  conditions  are  satisfied: 

(i)  p 1 has  a large  prime  factor,  denoted  r; 

(ii)  p + 1 has  a large  prime  factor,  denoted  s;  and 

(iii)  r — 1 has  a large  prime  factor,  denoted  t. 

In  Definition  4.52,  a precise  qualification  of  “large”  depends  on  specific  attacks  that  should 
be  guarded  against;  for  further  details,  see  Note  8.8(iii). 
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4.53  Algorithm  Gordon’s  algorithm  for  generating  a strong  prime 
SUMMARY:  a strong  prime  p is  generated. 

1 . Generate  two  large  random  primes  s and  t of  roughly  equal  bitlength  (see  Note  4.54). 

2.  Select  an  integer  iq.  Find  the  first  prime  in  the  sequence  2 it  + 1,  for  i = iofio  + 
1,  iq  + 2, . . . (see  Note  4.54).  Denote  this  prime  by  r = 2it  + 1. 

3.  Compute  po  = 2 (sr~2  mod  r)s  — 1. 

4.  Select  an  integer  jo . Find  the  first  prime  in  the  sequence  po  + 2 jrs,  for  j = jo , jo  + 
1,  jo  + 2, . . . (see  Note  4.54).  Denote  this  prime  by  p = po  + 2 jrs. 

5.  Return(p). 


Justification.  To  see  that  the  prime  p returned  by  Gordon’s  algorithm  is  indeed  a strong 
prime,  observe  first  (assuming  r s ) that  sr~1  = 1 (mod  r);  this  follows  from  Fermat’s 
theorem  (Fact  2.127).  Hence,  po  = 1 (mod  r)  andpo  = (mod  .s).  Finally  (cf.  Defi- 
nition 4.52), 

(i)  p — 1 = po  + 2 jrs  — 1 = 0 (mod  r),  and  hence  p — 1 has  the  prime  factor  r; 

(ii)  p + 1 = po  + 2 jrs  + 1e0  (mod  s),  and  hence  p + 1 has  the  prime  factor  s;  and 

(iii)  r — 1 = 2it  = 0 (mod  t ),  and  hence  r — 1 has  the  prime  factor  t. 

4.54  Note  (implementing  Gordon’s  algorithm) 

(i)  The  primes  s and  t required  in  step  1 can  be  probable  primes  generated  by  Algo- 
rithm 4.44.  The  Miller-Rabin  test  ( Algorithm  4.24)  can  be  used  to  test  each  candidate 
for  primality  in  steps  2 and  4,  after  ruling  out  candidates  that  are  divisible  by  a small 
prime  less  than  some  bound  B.  See  Note  4.45  for  guidance  on  selecting  B.  Since  the 
Miller-Rabin  test  is  a probabilistic  primality  test,  the  output  of  this  implementation 
of  Gordon’s  algorithm  is  a probable  prime. 

(ii)  By  carefully  choosing  the  sizes  of  primes  s,  t and  parameters  z'(l,  j0,  one  can  control 
the  exact  bitlength  of  the  resulting  prime  p.  Note  that  the  bitlengths  of  r and  s will 
be  about  half  that  of  p,  while  the  bitlength  of  t will  be  slightly  less  than  that  of  r. 

4.55  Fact  ( running  time  of  Gordon ’s  algorithm)  If  the  Miller-Rabin  test  is  the  primality  test  used 
in  steps  1 , 2,  and  4,  the  expected  time  Gordon’s  algorithm  takes  to  find  a strong  prime  is  only 
about  19%  more  than  the  expected  time  Algorithm  4.44  takes  to  find  a random  prime. 


4.4.3  NIST  method  for  generating  DSA  primes 

Some  public-key  schemes  require  primes  satisfying  various  specific  conditions.  For  exam- 
ple, the  NIST  Digital  Signature  Algorithm  (DSA  of  §11.5.1)  requires  two  primes  p and  q 
satisfying  the  following  three  conditions: 

(i)  2159  < q < 2160;  that  is,  q is  a 160-bit  prime; 

(ii)  2l -1  < p <2l  for  a specified  L.  where  L = 512  + 64/  for  some  0 < l < 8;  and 

(iii)  q divides  p — 1. 

This  section  presents  an  algorithm  for  generating  such  primes  p and  q.  In  the  following, 
H denotes  the  SHA-1  hash  function  (Algorithm  9.53)  which  maps  bitstrings  of  bitlength 
< 264  to  160-bit  hash-codes.  Where  required,  an  integer  x in  the  range  0 < x < 29  whose 
binary  representation  is  x = xg_ i2g~1  + xg_22s_2  + • ■ • + X222  + xi2  + xq  should  be 
converted  to  the  5-bit  sequence  (xg_1xg_2  • ■ • x2xjXo),  and  vice  versa. 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§4.4  Prime  number  generation 


151 


4.56  Algorithm  NIST  method  for  generating  DSA  primes 
INPUT:  an  integer  l,  0 < l < 8. 

OUTPUT:  a 160-bit  prime  q and  an  T-bit  prime  p,  where  L = 512  + 64 1 and  q\(p  1). 

1.  Compute  L = 512  + 64 1.  Using  long  division  of  (L  — 1)  by  160,  find  n,  b such  that 
L — 1 = 160n  + b,  where  0 < b < 160. 

2.  Repeat  the  following: 

2.1  Choose  a random  seed  s (not  necessarily  secret)  of  bitlength  g > 160. 

2.2  Compute  U = + 1)  mod  2s). 

2.3  Form  q from  U by  setting  to  1 the  most  significant  and  least  significant  bits  of 
U.  (Note  that  q is  a 160-bit  odd  integer.) 

2.4  Test  q for  primality  using  MILLER-RABIN(q.f)  for  t > 18  (see  Note  4.57). 
Until  q is  found  to  be  a (probable)  prime. 

3.  Set  it—  0,  j<—  2. 

4.  While  i < 4096  do  the  following: 

4.1  For  k from  0 to  n do  the  following:  set  14  <—  H((s  + j + k)  mod  2s). 

4.2  For  the  integer  W defined  below,  let  X = W + 2 L 1 . ( X is  an  L-bit  integer.) 

W = Vo  + Vi2160  + V22320  + • • ■ + U„_i2160(”-1)  + (V„  mod  26)2160" 

4.3  Compute  c = X mod  2qandsetp  = X — (c— 1).  (Note  that  p = 1 (mod  2 q).) 

4.4  If  p > 2l_1  then  do  the  following: 

Test  p for  primality  using  MILLER-RABIN(p,f)  for  t > 5 (see  Note  4.57). 
If  p is  a (probable)  prime  then  return(q,p). 

4.5  Set  ii— i + 1,  j<—j  + n + 1. 

5.  Go  to  step  2. 


4.57  Note  (choice  of  primality  test  in  Algorithm  4.56) 

(i)  The  FIPS  186  document  where  Algorithm  4.56  was  originally  described  only  speci- 
fies that  a robust  primality  test  be  used  in  steps  2.4  and  4.4,  i.e.,  a primality  test  where 
the  probability  of  a composite  integer  being  declared  prime  is  at  most  ( 4)8(l.  If  the 
heuristic  assumption  is  made  that  q is  a randomly  chosen  160-bit  integer  then,  by  Ta- 
ble 4.4,  MILLER-RABIN(q,18)  is  a robust  test  for  the  primality  of  q.  If  p is  assumed 
to  be  a randomly  chosen  T-bit  integer,  then  by  Table  4.4,  MILLER-RABIN(p,5)  is 
a robust  test  for  the  primality  of  p.  Since  the  Miller-Rabin  test  is  a probabilistic  pri- 
mality test,  the  output  of  Algorithm  4.56  is  a probable  prime. 

(ii)  To  improve  performance,  candidate  primes  q and  p should  be  subjected  to  trial  divi- 
sion by  all  odd  primes  less  than  some  bound  B before  invoking  the  Miller-Rabin  test. 
See  Note  4.45  for  guidance  on  selecting  B. 

4.58  Note  (“weak”  primes  cannot  be  intentionally  constructed)  Algorithm  4.56  has  the  feature 
that  the  random  seed  s is  not  input  to  the  prime  number  generation  portion  of  the  algorithm 
itself,  but  rather  to  an  unpredictable  and  uncontrollable  randomization  process  (steps  2.2 
and  4.1),  the  output  of  which  is  used  as  the  actual  random  seed.  This  precludes  manipulation 
of  the  input  seed  to  the  prime  number  generation.  If  the  seed  s and  counter  i are  made  public, 
then  anyone  can  verify  that  q and  p were  generated  using  the  approved  method.  This  feature 
prevents  a central  authority  who  generates  p and  q as  system- wide  parameters  for  use  in  the 
DSA  from  intentionally  constructing  “weak”  primes  q and  p which  it  could  subsequently 
exploit  to  recover  other  entities’  private  keys. 
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4.4.4  Constructive  techniques  for  provable  primes 

Maurer’s  algorithm  (Algorithm  4.62)  generates  random  provable  primes  that  are  almost 
uniformly  distributed  over  the  set  of  all  primes  of  a specified  size.  The  expected  time  for 
generating  a prime  is  only  slightly  greater  than  that  for  generating  a probable  prime  of  equal 
size  using  Algorithm  4.44  with  security  parameter  t = 1.  (In  practice,  one  may  wish  to 
choose  t > 1 in  Algorithm  4.44;  cf.  Note  4.49.) 

The  main  idea  behind  Algorithm  4.62  is  Fact  4.59,  which  is  a slight  modification  of 
Pocklington’s  theorem  (Fact  4.40)  and  Fact  4.41. 

4.59  Fact  Let  n > 3 be  an  odd  integer,  and  suppose  that  n = 1 + 2 Rq  where  q is  an  odd  prime. 
Suppose  further  that  q > R. 

(i)  If  there  exists  an  integer  a satisfying  a"-1  = 1 (mod  n ) and  gcd(o2H  — 1,  n)  = 1, 
then  n is  prime. 

(ii)  If  n is  prime,  the  probability  that  a randomly  selected  base  a,  1 < a < n — 1,  satisfies 
a™'-1  = 1 (mod  n)  and  gcd(a2H  — 1,  n)  = 1 is  (1  — 1 /q). 

Algorithm  4.62  recursively  generates  an  odd  prime  q,  and  then  chooses  random  integers  R, 
R < q,  until  n = 2 Rq  + 1 can  be  proven  prime  using  Fact  4.59(i)  for  some  base  a.  By 
Fact  4.59(ii)  the  proportion  of  such  bases  is  1 — 1 /q  for  prime  n.  On  the  other  hand,  if  n is 
composite,  then  most  bases  a will  fail  to  satisfy  the  condition  o?l_1  = 1 (mod  n). 

4.60  Note  ( description  of  constants  c and  m in  Algorithm  4.62) 

(i)  The  optimal  value  of  the  constant  c defining  the  trial  division  bound  B = ck2  in 
step  2 depends  on  the  implementation  of  long-integer  arithmetic,  and  is  best  deter- 
mined experimentally  (cf.  Note  4.45). 

(ii)  The  constant  m = 20  ensures  that  / is  at  least  20  bits  long  and  hence  the  interval 
from  which  R is  selected,  namely  [I  + 1,2/],  is  sufficiently  large  (for  the  values  of 
k of  practical  interest)  that  it  most  likely  contains  at  least  one  value  R for  which  n = 
2 Rq  + 1 is  prime. 

4.61  Note  ( relative  size  r of  q with  respect  to  n in  Algorithm  4.62)  The  relative  size  r of  q with 
respect  to  n is  defined  to  be  r = lg  q / lg  n.  In  order  to  assure  that  the  generated  prime  n is 
chosen  randomly  with  essentially  uniform  distribution  from  the  set  of  all  k- bit  primes,  the 
size  of  the  prime  factor  q of  n — 1 must  be  chosen  according  to  the  probability  distribution 
of  the  largest  prime  factor  of  a randomly  selected  fc-bit  integer.  Since  q must  be  greater  than 
R in  order  for  Fact  4.59  to  apply,  the  relative  size  r of  q is  restricted  to  being  in  the  interval 
[ i , 1] . It  can  be  deduced  from  Fact  3.7(i)  that  the  cumulative  probability  distribution  of  the 
relative  size  r of  the  largest  prime  factor  of  a large  random  integer,  given  that  r is  at  least 

is  (1  + lg  r)  for  < r < 1.  In  step  4 of  Algorithm  4.62,  the  relative  size  r is  generated 
according  to  this  distribution  by  selecting  a random  number  .s  G [0, 1]  and  then  setting  r = 
2s  1 . If  k < 2 m then  r is  chosen  to  be  the  smallest  permissible  value,  namely  in  order 
to  ensure  that  the  interval  from  which  R is  selected  is  sufficiently  large  (cf.  Note  4.60(ii)). 
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4.62  Algorithm  Maurer’s  algorithm  for  generating  provable  primes 

PRO  VABLE_PRIME(  k) 

INPUT:  a positive  integer  k. 

OUTPUT:  a fc-bit  prime  number  n. 

1.  ( Ifk  is  small,  then  test  random  integers  by  trial  division.  A table  of  small  primes  may 
be  precomputed  for  this  purpose.) 

Ifk  < 20  then  repeatedly  do  the  following: 

1 . 1 Select  a random  Ar-bit  odd  integer  n. 

1.2  Use  trial  division  by  all  primes  less  than  'n  to  determine  whether  n is  prime. 

1 .3  If  n is  prime  then  return(n). 

2.  Set  d — 0. 1 and  m<—  20  (see  Note  4.60). 

3.  ( Trial  division  bound)  Set  B<r- c ■ k2  (see  Note  4.60). 

4.  ( Generate  r,  the  size  ofq  relative  to  n — see  Note  4.61)  If  k > 2 m then  repeatedly 
do  the  following:  select  a random  number  s in  the  interval  [0, 1],  set  r<—  2S~1,  until 
( k — rk)  > m.  Otherwise  (i.e.  k < 2 to),  set  r<—  0.5. 

5.  Compute  qg-PROVABLE_PRIME( [r  ■ k\  + 1). 

6.  Set  I<r-  |_2fc~1/ (2q)\ . 

7.  success-*— 0. 

8.  While  (success  = 0)  do  the  following: 

8.1  ( select  a candidate  integer  n)  Select  a random  integer  R in  the  interval  [I  + 
1,  21]  and  set  n<—2Rq  + 1. 

8.2  Use  trial  division  to  determine  whether  n is  divisible  by  any  prime  number  < B. 
If  it  is  not  then  do  the  following: 

Select  a random  integer  a in  the  interval  [2,  n — 2], 

Compute  b^an~1  mod  n. 

If  6 — 1 then  do  the  following: 

Compute  b<—a2R  mod  n and  d<—  gcd(6  — 1,  n). 

If  d = 1 then  success-*—  1. 

9.  Return(n). 


4.63  Note  (improvements  to  Algorithm  4.62) 

(i)  A speedup  can  be  achieved  by  using  Fact  4.42  instead  of  Fact  4.59(i)  for  proving 
n = 2 Rq  + 1 prime  in  step  8.2  of  Maurer’s  algorithm  — Fact  4.42  only  requires  that 
q be  greater  than  3rn. 

(ii)  If  a candidate  n passes  the  trial  division  (in  step  8.2),  then  a Miller-Rabin  test  (Algo- 
rithm 4.24)  with  the  single  base  a = 2 should  be  performed  on  n;  only  if  n passes 
this  test  should  the  attempt  to  prove  its  primality  ( the  remainder  of  step  8.2)  be  under- 
taken. This  leads  to  a faster  implementation  due  to  the  efficiency  of  the  Miller-Rabin 
test  with  a single  base  a = 2 (cf.  Remark  4.50). 

(iii)  Step  4 requires  the  use  of  real  number  arithmetic  when  computing  2s  1 . To  avoid 
these  computations,  one  can  precompute  and  store  a list  of  such  values  for  a selection 
of  random  numbers  s G [0, 1]. 

4.64  Note  (provable  primes  vs.  probable  primes)  Probable  primes  are  advantageous  over  prov- 
able primes  in  that  Algorithm  4.44  for  generating  probable  primes  with  t = 1 is  slightly 
faster  than  Maurer’s  algorithm.  Moreover,  the  latter  requires  more  run-time  memory  due 
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to  its  recursive  nature.  Provable  primes  are  preferable  to  probable  primes  in  the  sense  that 
the  former  have  zero  error  probability.  In  any  cryptographic  application,  however,  there 
is  always  a non-zero  error  probability  of  some  catastrophic  failure,  such  as  the  adversary 
guessing  a secret  key  or  hardware  failure.  Since  the  error  probability  of  probable  primes 
can  be  efficiently  brought  down  to  acceptably  low  levels  (see  Note  4.49  but  note  the  depen- 
dence on  t),  there  appears  to  be  no  reason  for  mandating  the  use  of  provable  primes  over 
probable  primes. 


4.5  Irreducible  polynomials  over  'Lp 

Recall  (Definition  2.190)  that  a polynomial  f(x ) £ Zp [x]  of  degree  to  > 1 is  said  to  be 
irreducible  over  Zp  if  it  cannot  be  written  as  a product  of  two  polynomials  in  Zp[x ] each 
having  degree  less  than  to.  Such  a polynomial  /(x)  can  be  used  to  represent  the  elements 
of  the  finite  field  Fj,m  as  Fj,m  = Zj,[x]/ (/(x)),  the  set  of  all  polynomials  in  Zp[x\  of  de- 
gree less  than  to  where  the  addition  and  multiplication  of  polynomials  is  performed  modulo 
/ (x)  (see  §2.6.3).  This  section  presents  techniques  for  constructing  irreducible  polynomials 
over  Z p,  where  p is  a prime.  The  characteristic  two  finite  fields  F->m  are  of  particular  inter- 
est for  cryptographic  applications  because  the  arithmetic  in  these  fields  can  be  efficiently 
performed  both  in  software  and  in  hardware.  For  this  reason,  additional  attention  is  given 
to  the  special  case  of  irreducible  polynomials  over  Z2. 

The  arithmetic  in  finite  fields  can  usually  be  implemented  more  efficiently  if  the  irre- 
ducible polynomial  chosen  has  few  non-zero  terms.  Irreducible  trinomials,  i.e.,  irreducible 
polynomials  having  exactly  three  non-zero  terms,  are  considered  in  §4.5.2.  Primitive  poly- 
nomials, i.e.,  irreducible  polynomials  /(x)  of  degree  to  in  Zj,[x]  for  which  x is  a generator 
of  F*m , the  multiplicative  group  of  the  finite  field  Fpm  = Zp  [x]  / (/  (x) ) ( Definition  2.228), 
are  the  topic  of  §4.5.3.  Primitive  polynomials  are  also  used  in  the  generation  of  linear  feed- 
back shift  register  sequences  having  the  maximum  possible  period  (Fact  6.12). 


4.5.1  Irreducible  polynomials 

If  / (x)  £ Zj,  [x]  is  irreducible  over  Zp  and  a is  a non-zero  element  in  Zp,  then  a ■ f (x)  is  also 
irreducible  over  Zp.  Hence  it  suffices  to  restrict  attention  to  monic  polynomials  in  Zp[x], 
i.e.,  polynomials  whose  leading  coefficient  is  1.  Observe  also  that  if  /(x)  is  an  irreducible 
polynomial,  then  its  constant  term  must  be  non-zero.  In  particular,  if  /(x)  £ Z2[x],  then 
its  constant  term  must  be  1 . 

There  is  a formula  for  computing  exactly  the  number  of  monic  irreducible  polynomi- 
als in  Z p\x]  of  a fixed  degree.  The  Mobius  function,  which  is  defined  next,  is  used  in  this 
formula. 

4.65  Definition  Let  TO  be  a positive  integer.  The  Mobius  function  p is  defined  by 

( 1,  if  to  = 1, 

pirn)  = < 0,  if  to  is  divisible  by  the  square  of  a prime, 

I (— l)fc,  if  to  is  the  product  of  k distinct  primes. 

4.66  Example  (Mobius  function)  The  following  table  gives  the  values  of  the  Mobius  function 
p(rri)  for  the  first  10  values  of  to: 
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m 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

p(m) 

1 

-1 

-1 

0 

-1 

1 

-1 

0 

0 

1 

□ 

4.67  Fact  ( number  ofmonic  irreducible  polynomials)  Let  p be  a prime  and  m a positive  integer. 

(i)  The  number  Np(m)  of  monic  irreducible  polynomials  of  degree  m in  Zp[x\  is  given 
by  the  following  formula: 

d\m 

where  the  summation  ranges  over  all  positive  divisors  d of  to. 

(ii)  The  probability  of  a random  monic  polynomial  of  degree  to  in  Zp  [x]  being  irreducible 
over  Zp  is  roughly  More  specifically,  the  number  Np(m)  satisfies 

J_  < Np(m)  _ £ 

2 TO  “ TO 

Testing  irreducibility  of  polynomials  in  Zp[x\  is  significantly  simpler  than  testing  pri- 
mality  of  integers.  A polynomial  can  be  tested  for  irreducibility  by  verifying  that  it  has  no 
irreducible  factors  of  degree  < Lf  J-  The  following  result  leads  to  an  efficient  method  (Al- 
gorithm 4.69)  for  accomplishing  this. 

4.68  Fact  Let  p be  a prime  and  let  A;  be  a positive  integer. 

(i)  The  product  of  all  monic  irreducible  polynomials  in  Zp  [x]  of  degree  dividing  k is 
equal  to  xpk  — x. 

(ii)  Let  /(x)  be  a polynomial  of  degree  to  in  Zp[x\.  Then  /(x)  is  irreducible  over  Zp  if 
and  only  if  gcd(/(x),  xp’  — x)  = 1 for  each  *,!<*<  \Jfr\  • 


4.69  Algorithm  Testing  a polynomial  for  irreducibility 

INPUT:  a prime  p and  a monic  polynomial  /(x)  of  degree  to  in  Zp[x\. 

OUTPUT:  an  answer  to  the  question:  “Is  /(x)  irreducible  over  Z pT 

1.  Setw(x)<— x. 

2.  For  i from  1 to  [f- \ do  the  following: 

2.1  Compute  w(x)<s— w(x)2’  mod  /(x)  using  Algorithm  2.227 . (Note  that  u(x)  is  a 
polynomial  in  Zp[x\  of  degree  less  than  to.) 

2.2  Compute  d(x)  = gcd(/(x),  u(x)  — x)  (using  Algorithm  2.218). 

2.3  If  d(x)  1 then  return!  “reducible”). 

3.  Return(“irreducible”). 


Fact  4.67  suggests  that  one  method  for  finding  an  irreducible  polynomial  of  degree  to 
in  Zp[x]  is  to  generate  a random  monic  polynomial  of  degree  to  in  Zp[x\,  test  it  for  irre- 
ducibility, and  continue  until  an  irreducible  one  is  found  (Algorithm  4.70).  The  expected 
number  of  polynomials  to  be  tried  before  an  irreducible  one  is  found  is  approximately  to. 
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4.70  Algorithm  Generating  a random  monic  irreducible  polynomial  over  TLV 
INPUT:  a prime  p and  a positive  integer  m. 

OUTPUT:  a monic  irreducible  polynomial  /(x)  of  degree  m in  Zp  [x] . 

1.  Repeat  the  following: 

1.1  ( Generate  a random  monic  polynomial  of  degree  m in  Zp[x ]) 

Randomly  select  integers  ao,  ai,  a,2,  ■ ■ ■ , aTO_i  between  0 and  p — 1 with  a o 

0.  Let  / ( x)  be  the  polynomial  f(x)  = xm+am- \xm  1+-  • -+a2X2+aix+ao. 

1.2  Use  Algorithm  4.69  to  test  whether  /(x)  is  irreducible  over  Zp. 

Until  /(x)  is  irreducible. 

2.  Return! /(x)). 


It  is  known  that  the  expected  degree  of  the  irreducible  factor  of  least  degree  of  a random 
polynomial  of  degree  m in  Zj,[x]  is  0(lg  to).  Hence  for  each  choice  of  /(x),  the  expected 
number  of  times  steps  2.1  - 2.3  of  Algorithm  4.69  are  iterated  is  0(lg  to).  Each  iteration 
takes  0((lgp)m2)  Zp -operations.  These  observations,  together  with  Fact  4.67(h),  deter- 
mine the  running  time  for  Algorithm  4.70. 

4.71  Fact  Algorithm  4.70  has  an  expected  running  time  of  0(m3(lg  m,)(lgp))  Zp -operations. 

Given  one  irreducible  polynomial  of  degree  to  over  Zj,,  Note  4.74  describes  a method, 
which  is  more  efficient  than  Algorithm  4.70,  for  randomly  generating  additional  such  poly- 
nomials. 


4.72  Definition  Let  Fg  be  a finite  field  of  characteristic  p,  and  let  a € ¥q.  A minimum  polyno- 
mial of  a over  Zp  is  a monic  polynomial  of  least  degree  in  Zp  [x]  having  a as  a root. 


Let  Fq  be  a finite  field  of  order  q = pm,  and  let  aeF,. 

The  minimum  polynomial  of  a over  Zp,  denoted  mQ(x),  is  unique. 
ma  (x)  is  irreducible  over  Zp. 

The  degree  of  ma  (x)  is  a divisor  of  to. 

Let  t be  the  smallest  positive  integer  such  that  apt  = a.  (Note  that  such  a t exists 
since,  by  Fact  2.213,  dP  = a.)  Then 

t- 1 

moi{x)  = Y[(x  - ap%).  (4.1) 

i=0 

4.74  Note  ( generating  new  irreducible  polynomials  from  a given  one ) Suppose  that  f{y)  is  a 
given  irreducible  polynomial  of  degree  to  over  Zp.  The  finite  field  Fpm  can  then  be  repre- 
sented as  Fpm  = Z P[y\/(f{y)).  a random  monic  irreducible  polynomial  of  degree  to  over 
Z p can  be  efficiently  generated  as  follows.  First  generate  a random  element  a € F pm  and 
then,  by  repeated  exponentiation  by  p,  determine  the  smallest  positive  integer  t for  which 
ap  =a.  If  t < to,  then  generate  a new  random  element  a € Fpr„  and  repeat;  the  probabil- 
ity that  t < to  is  known  to  be  at  most  (lg  to)  /qm^2.  If  indeed  t = m,  then  compute  ma  (x) 
using  the  formula  (4.1).  Then  mQ(x)  is  a random  monic  irreducible  polynomial  of  degree 
m in  Z7j[x],  This  method  has  an  expected  running  time  of  0(m3(\gp))  Z^-operations  (com- 
pare with  Fact  4.71). 


4.73  Fact 

(i) 

(ii) 

(iii) 

(iv) 
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4.5.2  Irreducible  trinomials 

If  a polynomial  f(x)  in  Z2  [x]  has  an  even  number  of  non-zero  terms,  then  / ( 1 ) = 0,  whence 
(x  + 1)  is  a factor  of  /(x).  Hence,  the  smallest  number  of  non-zero  terms  an  irreducible 
polynomial  of  degree  > 2 in  Z2  [x]  can  have  is  three.  An  irreducible  trinomial  of  degree  m 
in  Z2  [x]  must  be  of  the  form  xm  + xk  + 1,  where  1 < k < m — 1.  Choosing  an  irreducible 
trinomial  /(x)  G Z2[x]  of  degree  m to  represent  the  elements  of  the  finite  field  F 2 ™ = 
Z2[x]/(/(x))  can  lead  to  a faster  implementation  of  the  field  arithmetic.  The  following 
facts  are  sometimes  of  use  when  searching  for  irreducible  trinomials. 

4.75  Fact  Let  to  be  a positive  integer,  and  let  k denote  an  integer  in  the  interval  [1,  to  — 1]. 

(i)  If  the  trinomial  xm  + xk  + 1 is  irreducible  over  Z2  then  so  is  xm  + xm~fc  + 1. 

(ii)  If  to  = 0 (mod  8),  there  is  no  irreducible  trinomial  of  degree  to  in  Z2[x], 

(iii)  Suppose  that  either  m = 3 (mod8)orTO  = 5 (mod  8).  Then  a necessary  condition 
for  xm  + xk  + 1 to  be  irreducible  over  Z2  is  that  either  k or  to  — k must  be  of  the 
form  2d  for  some  positive  divisor  d of  to. 

Tables  4.6  and  4.7  list  an  irreducible  trinomial  of  degree  to  over  Z2  for  each  to  < 1478 
for  which  such  a trinomial  exists. 


4.5.3  Primitive  polynomials 

Primitive  polynomials  were  introduced  at  the  beginning  of  §4.5.  Let  /(x ) £ Zp[x\  be  an 
irreducible  polynomial  of  degree  to.  If  the  factorization  of  the  integer  pm  — 1 is  known,  then 
Fact  4.76  yields  an  efficient  algorithm  (Algorithm  4.77)  for  testing  whether  or  not  f(x)  is 
a primitive  polynomial.  If  the  factorization  of  pm  — 1 is  unknown,  there  is  no  efficient 
algorithm  known  for  performing  this  test. 

4.76  Fact  Let  p be  a prime  and  let  the  distinct  prime  factors  of  //"  — 1 be  rj , t~2  , . . , , . rt . Then 
an  irreducible  polynomial  /(x)  € Zp[x]  is  primitive  if  and  only  if  for  each  i,  1 < i < t: 

x(p  -i)/n  ^ j (mod  /(x)). 

(That  is,  x is  an  element  of  order  pm  — 1 in  the  field  zpM/(/(x)).) 


4.77  Algorithm  Testing  whether  an  irreducible  polynomial  is  primitive 

INPUT:  a prime  p,  a positive  integer  to,  the  distinct  prime  factors  r\,r%,. ..  , ry  of  pm  — 1, 
and  a monic  irreducible  polynomial  f(x)  of  degree  to  in  Zp[x\. 

OUTPUT:  an  answer  to  the  question:  “Is  /(x)  a primitive  polynomial?” 

1.  For  i from  1 to  t do  the  following: 

1.1  Compute  l(x)  = x^pm^1^ri  mod  /(x)  (using  Algorithm  2.227). 

1.2  If  Z(x)  = 1 then  return(“not  primitive”). 

2.  Return(“primitive”). 


There  are  precisely  cp(pm  — 1 )/m  monic  primitive  polynomials  of  degree  to  in  Zp[x\ 
(Fact  2.230),  where  <j>  is  the  Euler  phi  function  (Definition  2.100).  Since  the  number  of 
monic  irreducible  polynomials  of  degree  min  Zp[x\  is  roughly  pm /m  (Fact  4. 67(ii)),  it  fol- 
lows that  the  probability  of  a random  monic  irreducible  polynomial  of  degree  to  in  Zp  [x] 
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m 

ma 

ma 

wm 

ma 

k 

Bi 

k 

mm 

k 

mm 

k 

mm 

k 

2 

1 

93 

2 

193 

15 

295 

48 

171 

508 

9 

618 

295 

3 

1 

94 

21 

194 

87 

297 

5 

404 

65 

510 

69 

620 

9 

4 

1 

95 

11 

196 

3 

300 

5 

406 

141 

511 

10 

622 

297 

5 

2 

97 

6 

198 

9 

302 

41 

407 

71 

513 

26 

623 

68 

6 

1 

98 

11 

199 

34 

303 

1 

409 

87 

514 

67 

625 

133 

7 

1 

100 

15 

201 

14 

305 

102 

412 

147 

516 

21 

626 

251 

9 

1 

102 

29 

202 

55 

308 

15 

414 

13 

518 

33 

628 

223 

10 

3 

103 

9 

204 

27 

310 

93 

415 

102 

519 

79 

631 

307 

11 

2 

105 

4 

207 

43 

313 

79 

417 

107 

521 

32 

633 

101 

12 

3 

106 

15 

209 

6 

314 

15 

418 

199 

522 

39 

634 

39 

14 

5 

108 

17 

210 

7 

316 

63 

7 

524 

167 

636 

217 

15 

1 

110 

33 

212 

105 

318 

45 

149 

526 

97 

639 

16 

17 

3 

111 

10 

214 

73 

319 

36 

423 

25 

527 

47 

641 

11 

18 

3 

113 

9 

215 

23 

321 

31 

425 

12 

529 

42 

642 

119 

20 

3 

118 

33 

217 

45 

322 

67 

426 

63 

532 

1 

646 

249 

21 

2 

119 

8 

218 

11 

324 

51 

428 

105 

534 

161 

647 

5 

22 

1 

121 

18 

220 

7 

327 

34 

431 

120 

537 

94 

649 

37 

23 

5 

123 

2 

223 

33 

329 

50 

433 

33 

538 

195 

650 

3 

25 

3 

124 

19 

225 

32 

330 

99 

436 

165 

540 

9 

651 

14 

28 

1 

126 

21 

228 

113 

332 

89 

438 

65 

543 

16 

652 

93 

29 

2 

127 

1 

231 

26 

333 

2 

439 

49 

545 

122 

654 

33 

30 

1 

129 

5 

233 

74 

337 

55 

441 

7 

550 

193 

655 

88 

31 

3 

130 

3 

234 

31 

340 

45 

444 

81 

551 

135 

657 

38 

33 

10 

132 

17 

236 

5 

342 

125 

446 

105 

553 

39 

658 

55 

34 

7 

134 

57 

238 

73 

343 

75 

447 

73 

556 

153 

660 

11 

35 

2 

135 

11 

239 

36 

345 

22 

449 

134 

558 

73 

662 

21 

36 

9 

137 

21 

241 

70 

346 

63 

450 

47 

559 

34 

663 

107 

39 

4 

140 

15 

242 

95 

348 

103 

455 

38 

561 

71 

665 

33 

41 

3 

142 

21 

244 

111 

350 

53 

457 

16 

564 

163 

668 

147 

42 

7 

145 

52 

247 

82 

351 

34 

458 

203 

566 

153 

670 

153 

44 

5 

146 

71 

249 

35 

353 

69 

460 

19 

567 

28 

671 

15 

46 

1 

147 

14 

250 

103 

354 

99 

462 

73 

569 

77 

673 

28 

47 

5 

148 

27 

252 

15 

358 

57 

463 

93 

570 

67 

676 

31 

49 

9 

150 

53 

253 

46 

359 

68 

465 

31 

574 

13 

679 

66 

52 

3 

151 

3 

255 

52 

362 

63 

468 

27 

575 

146 

682 

171 

54 

9 

153 

1 

257 

12 

364 

9 

470 

9 

577 

25 

684 

209 

55 

7 

154 

15 

258 

71 

366 

29 

471 

1 

580 

237 

686 

197 

57 

4 

155 

62 

260 

15 

367 

21 

473 

200 

582 

85 

687 

13 

58 

19 

156 

9 

263 

93 

369 

91 

474 

191 

583 

130 

689 

14 

60 

1 

159 

31 

265 

42 

370 

139 

476 

9 

585 

88 

690 

79 

62 

29 

161 

18 

266 

47 

372 

111 

478 

121 

588 

35 

692 

299 

63 

1 

162 

27 

268 

25 

375 

16 

479 

104 

590 

93 

694 

169 

65 

18 

166 

37 

270 

53 

377 

41 

481 

138 

593 

86 

695 

177 

66 

3 

167 

6 

271 

58 

378 

43 

484 

105 

594 

19 

697 

267 

68 

9 

169 

34 

273 

23 

380 

47 

486 

81 

596 

273 

698 

215 

71 

6 

170 

11 

274 

67 

382 

81 

487 

94 

599 

30 

700 

75 

73 

25 

172 

1 

276 

63 

383 

90 

489 

83 

601 

201 

702 

37 

74 

35 

174 

13 

278 

5 

385 

6 

490 

219 

602 

215 

705 

17 

76 

21 

175 

6 

279 

5 

386 

83 

492 

7 

604 

105 

708 

15 

79 

9 

177 

8 

281 

93 

388 

159 

494 

17 

606 

165 

711 

92 

81 

4 

178 

31 

282 

35 

390 

9 

495 

76 

607 

105 

713 

41 

84 

5 

180 

3 

284 

53 

391 

28 

497 

78 

609 

31 

714 

23 

86 

21 

182 

81 

286 

69 

393 

7 

498 

155 

610 

127 

716 

183 

87 

13 

183 

56 

287 

71 

394 

135 

500 

27 

612 

81 

718 

165 

89 

38 

185 

24 

289 

21 

396 

25 

503 

3 

614 

45 

719 

150 

90 

27 

186 

11 

292 

37 

399 

26 

505 

156 

615 

211 

721 

9 

92 

21 

191 

9 

294 

33 

401 

152 

506 

23 

617 

200 

722 

231 

Table  4.6:  Irreducible  trinomials  xm  + xk  + 1 over  Z2.  For  each  m,  1 < m < 722,  for  which  an 
irreducible  trinomial  of  degree  m in  Z2  [x]  exists,  the  table  lists  the  smallest  kfor  which  xm  + xk  + 1 
is  irreducible  over  Z2. 
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m 

ma 

■a 

urn 

m 

ma 

m 

ua 

m 

■91 

m 

KiH 

m 

ma 

724 

207 

831 

49 

937 

217 

1050 

159 

I 1159 

66 

1265 

119 

1374 

609 

726 

5 

833 

149 

938 

207 

1052 

291 

365 

1266 

7 

1375 

52 

727 

180 

834 

15 

942 

45 

1054 

105 

1164 

19 

1268 

345 

1377 

100 

729 

58 

838 

61 

943 

24 

1055 

24 

1166 

189 

1270 

333 

1380 

183 

730 

147 

839 

54 

945 

77 

1057 

198 

1167 

133 

1271 

17 

1383 

130 

732 

343 

841 

144 

948 

189 

1058 

27 

1169 

114 

1273 

168 

1385 

12 

735 

44 

842 

47 

951 

260 

1060 

439 

1170 

27 

1276 

217 

1386 

219 

737 

5 

844 

105 

953 

168 

1062 

49 

1174 

133 

1278 

189 

1388 

11 

738 

347 

845 

2 

954 

131 

1063 

168 

1175 

476 

1279 

216 

1390 

129 

740 

135 

846 

105 

956 

305 

1065 

463 

1177 

16 

1281 

229 

1391 

3 

742 

85 

847 

136 

959 

143 

1071 

7 

1178 

375 

1282 

231 

1393 

300 

743 

90 

849 

253 

961 

18 

1078 

361 

1180 

25 

1284 

223 

1396 

97 

745 

258 

850 

111 

964 

103 

1079 

230 

1182 

77 

1286 

153 

1398 

601 

746 

351 

852 

159 

966 

201 

1081 

24 

1183 

87 

1287 

470 

1399 

55 

748 

19 

855 

29 

967 

36 

1082 

407 

1185 

134 

1289 

99 

1401 

92 

750 

309 

857 

119 

969 

31 

189 

1186 

171 

1294 

201 

1402 

127 

751 

18 

858 

207 

972 

7 

62 

1188 

75 

1295 

38 

1404 

81 

753 

158 

860 

35 

975 

19 

1086 

189 

1190 

233 

1297 

198 

1407 

47 

754 

19 

861 

14 

977 

15 

1087 

112 

1191 

196 

1298 

399 

1409 

194 

756 

45 

862 

349 

979 

178 

1089 

91 

1193 

173 

1300 

75 

1410 

383 

758 

233 

865 

1 

982 

177 

1090 

79 

1196 

281 

1302 

77 

1412 

125 

759 

98 

866 

75 

983 

230 

1092 

23 

1198 

405 

1305 

326 

1414 

429 

761 

3 

868 

145 

985 

222 

1094 

57 

1199 

114 

1306 

39 

1415 

282 

762 

83 

870 

301 

986 

3 

1095 

139 

1201 

171 

1308 

495 

1417 

342 

767 

168 

871 

378 

988 

121 

1097 

14 

1202 

287 

1310 

333 

1420 

33 

769 

120 

873 

352 

990 

161 

1098 

83 

1204 

43 

1311 

476 

1422 

49 

772 

7 

876 

149 

991 

39 

1100 

35 

1206 

513 

1313 

164 

1423 

15 

774 

185 

879 

11 

993 

62 

1102 

117 

1207 

273 

1314 

19 

1425 

28 

775 

93 

881 

78 

994 

223 

1103 

65 

1209 

118 

1319 

129 

1426 

103 

777 

29 

882 

99 

996 

65 

1105 

21 

1210 

243 

1321 

52 

1428 

27 

778 

375 

884 

173 

998 

101 

1106 

195 

1212 

203 

1324 

337 

1430 

33 

780 

13 

887 

147 

999 

59 

1108 

327 

1214 

257 

1326 

397 

1431 

17 

782 

329 

889 

127 

1001 

17 

1110 

417 

1215 

302 

1327 

277 

1433 

387 

783 

68 

890 

183 

1007 

75 

1111 

13 

1217 

393 

1329 

73 

1434 

363 

785 

92 

892 

31 

1009 

55 

1113 

107 

1218 

91 

1332 

95 

1436 

83 

791 

30 

894 

173 

1010 

99 

1116 

59 

1220 

413 

1334 

617 

1438 

357 

793 

253 

895 

12 

1012 

115 

1119 

283 

1223 

255 

1335 

392 

1441 

322 

794 

143 

897 

113 

1014 

385 

1121 

62 

1225 

234 

1337 

75 

1442 

395 

798 

53 

898 

207 

1015 

186 

1122 

427 

1226 

167 

1338 

315 

1444 

595 

799 

25 

900 

1 

1020 

135 

1126 

105 

1228 

27 

1340 

125 

1446 

421 

801 

217 

902 

21 

1022 

317 

1127 

27 

1230 

433 

1343 

348 

1447 

195 

804 

75 

903 

35 

1023 

7 

1129 

103 

1231 

105 

1345 

553 

1449 

13 

806 

21 

905 

117 

1025 

294 

1130 

551 

1233 

151 

1348 

553 

1452 

315 

807 

7 

906 

123 

1026 

35 

1134 

129 

1234 

427 

1350 

237 

1454 

297 

809 

15 

908 

143 

1028 

119 

1135 

9 

1236 

49 

1351 

39 

1455 

52 

810 

159 

911 

204 

1029 

98 

1137 

277 

1238 

153 

1353 

371 

1457 

314 

812 

29 

913 

91 

1030 

93 

1138 

31 

1239 

4 

1354 

255 

1458 

243 

814 

21 

916 

183 

1031 

68 

1140 

141 

1241 

54 

1356 

131 

1460 

185 

815 

333 

918 

77 

1033 

108 

1142 

357 

1242 

203 

1358 

117 

1463 

575 

817 

52 

919 

36 

1034 

75 

1145 

227 

1246 

25 

1359 

98 

1465 

39 

818 

119 

921 

221 

1036 

411 

1146 

131 

1247 

14 

1361 

56 

1466 

311 

820 

123 

924 

31 

1039 

21 

1148 

23 

1249 

187 

1362 

655 

1468 

181 

822 

17 

926 

365 

1041 

412 

1151 

90 

1252 

97 

1364 

239 

1470 

49 

823 

9 

927 

403 

1042 

439 

1153 

241 

1255 

589 

1366 

1 

1471 

25 

825 

38 

930 

31 

1044 

41 

1154 

75 

1257 

289 

1367 

134 

1473 

77 

826 

255 

932 

177 

1047 

10 

1156 

307 

1260 

21 

1369 

88 

1476 

21 

828 

189 

935 

417 

1049 

141 

1158 

245 

1263 

77 

1372 

181 

1478 

69 

Table  4.7:  Irreducible  trinomials  xm  +xk  + 1 over  Jj2.  Foreachm,  723  <m<  1478,  for  which  an 
irreducible  trinomial  of  degree  m in  Z2  [fc]  exists,  the  table  gives  the  smallest  kfor  which  xm  + xk  + 1 
is  irreducible  over  Z2. 
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being  primitive  is  approximately  (p(p'n  — 1)  / pm  . Using  the  lower  bound  for  the  Euler  phi 
function  (Fact  2.102),  this  probability  can  be  seen  to  be  at  least  1/(6  In  In prn ) . This  sug- 
gests the  following  algorithm  for  generating  primitive  polynomials. 


4.78  Algorithm  Generating  a random  monic  primitive  polynomial  over  zp 

INPUT:  a prime  p,  integer  m > 1,  and  the  distinct  prime  factors  n . r-2y-  . • ■ r/  of  p1"  — 1. 
OUTPUT:  a monic  primitive  polynomial  /(x)  of  degree  mn  in  Zp[x\. 

1.  Repeat  the  following: 

1.1  Use  Algorithm  4.70  to  generate  a random  monic  irreducible  polynomial  f(x ) 
of  degree  m in  Zp  [ x ] . 

1.2  Use  Algorithm  4.77  to  test  whether  /(x)  is  primitive. 

Until  /(x)  is  primitive. 

2.  Return(/(x)). 


For  each  m,  1 < m < 229,  Table  4.8  lists  a polynomial  of  degree  m that  is  primitive 
over  Z2.  If  there  exists  a primitive  trinomial  /(x)  = x"1  + xk  + 1,  then  the  trinomial  with 
the  smallest  k is  listed.  If  no  primitive  trinomial  exists,  then  a primitive  pentanomial  of  the 
form  /(x)  = xm  + xkl  + x*2  + xks  + 1 is  listed. 

If  prn  — 1 is  prime,  then  Fact  4.76  implies  that  every  irreducible  polynomial  of  de- 
gree m in  TLP  [x]  is  also  primitive.  Table  4.9  gives  either  a primitive  trinomial  or  a primitive 
pentanomial  of  degree  m over  Z2  where  m is  an  exponent  of  one  of  the  first  27  Mersenne 
primes  (Definition  4.35). 


4.6  Generators  and  elements  of  high  order 

Recall  (Definition  2.169)  that  if  G is  a (multiplicative)  finite  group,  the  order  of  an  element 
a £ G is  the  least  positive  integer  t such  that  © = 1.  If  there  are  n elements  in  G,  and  if 
a £ G is  an  element  of  order  n,  then  G is  said  to  be  cyclic  and  a is  called  a generator  or  a 
primitive  element  of  G (Definition  2. 167).  Of  special  interest  for  cryptographic  applications 
are  the  multiplicative  group  Z*  of  the  integers  modulo  a prime  p,  and  the  multiplicative 
group  Fjm  of  the  finite  field  F2m  of  characteristic  two;  these  groups  are  cyclic  (Fact  2.213). 
Also  of  interest  is  the  group  Z*  (Definition  2.124),  where  n is  the  product  of  two  distinct 
odd  primes.  This  section  deals  with  the  problem  of  finding  generators  and  other  elements 
of  high  order  in  Z*,  F^m,  and  Z* . See  §2.5.1  for  background  in  group  theory  and  §2.6  for 
background  in  finite  fields. 

Algorithm  4.79  is  an  efficient  method  for  determining  the  order  of  a group  element, 
given  the  prime  factorization  of  the  group  order  n.  The  correctness  of  the  algorithm  follows 
from  the  fact  that  the  order  of  an  element  must  divide  n (Fact  2.171). 
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m 

k or 
(k1.k2.k3) 

m 

k or 
(k1.k2.k3) 

m 

k or 
(k1.k2.k3) 

m 

k or 
(k1.k2.k3) 

2 

1 

59 

22,  21,  1 

116 

71,70,  1 

173 

100,  99,  1 

3 

1 

60 

1 

117 

20,  18,  2 

174 

13 

4 

1 

61 

16,  15,  1 

118 

33 

175 

6 

5 

2 

62 

57,  56,  1 

119 

8 

176 

119,  118,  1 

6 

1 

63 

1 

120 

118.  111,7 

177 

8 

7 

1 

64 

4,3,  1 

121 

18 

178 

87 

8 

6,5,  1 

65 

18 

122 

60,  59,  1 

179 

34,  33,  1 

9 

4 

66 

10,  9,  1 

123 

2 

180 

37,  36,  1 

10 

3 

67 

10,  9,  1 

124 

37 

181 

7,  6,  1 

11 

2 

68 

9 

125 

108,  107,  1 

182 

128,  127,  1 

12 

7,  4,3 

69 

29,  27,  2 

126 

37,  36.  1 

183 

56 

13 

4,3,  1 

70 

16,  15,  1 

127 

1 

184 

102,  101,  1 

14 

12,  11,  1 

71 

6 

128 

29,  27,  2 

185 

24 

15 

1 

72 

53,  47,  6 

129 

5 

186 

23,  22,  1 

16 

5,3,2 

73 

25 

130 

3 

187 

58,  57,  1 

17 

3 

74 

16,  15,  1 

131 

48,  47,  1 

188 

74,  73,  1 

18 

7 

75 

11,  10,  1 

132 

29 

189 

127,  126,  1 

19 

6,5,  1 

76 

36,  35,  1 

133 

52,51,  1 

190 

18,  17,  1 

20 

3 

77 

31,30,  1 

134 

57 

191 

9 

21 

2 

78 

20,  19,  1 

135 

11 

192 

28,  27,  1 

22 

1 

79 

9 

136 

126,  125,  1 

193 

15 

23 

5 

80 

38,  37,  1 

137 

21 

194 

87 

24 

4,3,  1 

81 

4 

138 

8,7,  1 

195 

10,  9,  1 

25 

3 

82 

38,  35,  3 

139 

8,5,3 

196 

66,  65,  1 

26 

8,7,  1 

83 

46,  45,  1 

140 

29 

197 

62,61,  1 

27 

8,7,  1 

84 

13 

141 

32,31,  1 

198 

65 

28 

3 

85 

28,  27,  1 

142 

21 

199 

34 

29 

2 

86 

13,  12,  1 

143 

21,20,  1 

200 

42,41,  1 

30 

16,  15,  1 

87 

13 

144 

70,  69,  1 

201 

14 

31 

3 

88 

72,71,  1 

145 

52 

202 

55 

32 

28,  27,  1 

89 

38 

146 

60,  59,  1 

203 

8,  7,  1 

33 

13 

90 

19,  18,  1 

147 

38,37,  1 

204 

74,  73,  1 

34 

15,  14,  1 

91 

84,  83,  1 

148 

27 

205 

30,  29,  1 

35 

2 

92 

13,  12,  1 

149 

110,  109.  1 

206 

29,  28,  1 

36 

11 

93 

2 

150 

53 

207 

43 

37 

12,  10,  2 

94 

21 

151 

3 

208 

62,  59,  3 

38 

6,5,  1 

95 

11 

152 

66,  65,  1 

209 

6 

39 

4 

96 

49,  47,  2 

153 

1 

210 

35,  32,  3 

40 

21,  19,2 

97 

6 

154 

129,  127,  2 

211 

46,  45,  1 

41 

3 

98 

11 

155 

32,31,  1 

212 

105 

42 

23,  22,  1 

99 

47,  45,  2 

156 

116,  115.  1 

213 

8,7,  1 

43 

6,5,  1 

100 

37 

157 

27,  26,  1 

214 

49,  48,  1 

44 

27,  26,  1 

101 

7,  6,  1 

158 

27,  26,  1 

215 

23 

45 

4,3,  1 

102 

77,  76,  1 

159 

31 

216 

196,  195,  1 

46 

21,20,  1 

103 

9 

160 

19,  18,  1 

217 

45 

47 

5 

104 

11,  10,  1 

161 

18 

218 

11 

48 

28,  27,  1 

105 

16 

162 

88,  87,  1 

219 

19,  18,  1 

49 

9 

106 

15 

163 

60,  59,  1 

220 

15,  14,  1 

50 

27,  26,  1 

107 

65,  63,  2 

164 

14,  13,  1 

221 

35,  34,  1 

51 

16,  15,  1 

108 

31 

165 

31,30,  1 

222 

92,91,  1 

52 

3 

109 

7,  6,  1 

166 

39,  38,  1 

223 

33 

53 

16,  15,  1 

110 

13,  12,  1 

167 

6 

224 

31,  30,  1 

54 

37,  36,  1 

111 

10 

168 

17,  15,2 

225 

32 

55 

24 

112 

45,  43,  2 

169 

34 

226 

58,57,  1 

56 

22,21,  1 

113 

9 

170 

23 

227 

46,  45,  1 

57 

7 

114 

82,  81,  1 

171 

19,  18,  1 

228 

148,  147,  1 

58 

19 

115 

15,  14,  1 

172 

7 

229 

64,  63,  1 

Table  4.8:  Primitive  polynomials  over  Z2.  For  each  m,  1 < m < 229,  an  exponent  k is  given  for 
which  the  trinomial  xm  + xk  + 1 is  primitive  over  Z2.  If  no  such  trinomial  exists,  a triple  of  exponents 
(fci,  k2,  fe)  is  given  for  which  the  pentanomial  xm  + xkl  + xk2  + xks  + 1 is  primitive  over  Z2. 
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n 

m 

k (ki,  k2,  k3) 

1 

2 

1 

2 

3 

1 

3 

5 

2 

4 

7 

1,3 

5 

13 

none  (4,3,1) 

6 

17 

3,5,6 

7 

19 

none  (5,2,1) 

8 

31 

3,6,  7,  13 

9 

61 

none  (43,26,14) 

10 

89 

38 

11 

107 

none  (82,57,31) 

12 

127 

1,7,  15,30,  63 

13 

521 

32,48,  158,  168 

14 

607 

105,  147,  273 

15 

1279 

216,418 

16 

2203 

none  (1656,1197,585) 

17 

2281 

715,915,  1029 

18 

3217 

67,  576 

19 

4253 

none  (3297,2254,1093) 

20 

4423 

271,  369,  370,  649,  1393,  1419,  2098 

21 

9689 

84,471,  1836,  2444,4187 

22 

9941 

none  (7449,4964,2475) 

23 

11213 

none  (8218,6181,2304) 

24 

19937 

881,7083,  9842 

25 

21701 

none  (15986,11393,5073) 

26 

23209 

1530.  6619,  9739 

27 

44497 

8575,21034 

Table  4.9:  Primitive  polynomials  of  degree  rn  over  r£2,  2™  — 1 a Mersenne  prime.  For  each  exponent 
m = Mj  of  the  first  27  Mersenne  primes,  the  table  lists  all  values  of  k,  1 < k < m/2,  for  which 
the  trinomial  xm  + xk  + 1 is  irreducible  over  Z2.  If  no  such  trinomial  exists,  a triple  of  exponents 
(fci,  k2,  fc3)  is  listed  such  that  the  pentanomial  xm  + xkl  + xk 2 + xks  + 1 is  irreducible  over  Z2. 


4.79  Algorithm  Determining  the  order  of  a group  element 

INPUT:  a (multiplicative)  finite  group  G of  order  n,  an  element  a £ G , and  the  prime  fac- 
torization n = p^p^2  ■ ■ ■ p ■ 

OUTPUT:  the  order  t of  a. 

1.  Set  t4—n. 

2.  For  i from  I to  k do  the  following: 

2.1  Setf-t—  i/Pi*. 

2.2  Compute  ai<—  a/. 

2.3  While  a\  7^  1 do  the  following:  compute  oi<— af'  and  set  t<—t  ■ pi. 

3.  Return(i). 


Suppose  now  that  G is  a cyclic  group  of  order  n.  Then  for  any  divisor  d of  n the  number 
of  elements  of  order  d in  G is  exactly  <p(d)  (Fact  2. 173(ii)),  where  />  is  the  Euler  phi  function 
(Definition  2.100).  In  particular,  G has  exactly  <t>(n)  generators,  and  hence  the  probability 
of  a random  element  in  G being  a generator  is  <f>(n)  /n.  Using  the  lower  bound  for  the  Eu- 
ler phi  function  (Fact  2.102),  this  probability  can  be  seen  to  be  at  least  1/(6  lnln  n).  This 
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suggests  the  following  efficient  randomized  algorithm  for  finding  a generator  of  a cyclic 
group. 


4.80  Algorithm  Finding  a generator  of  a cyclic  group 

INPUT:  a cyclic  group  G of  order  n,  and  the  prime  factorization  n = pf  p-f  ■ ■ ■ p^k  ■ 
OUTPUT:  a generator  a of  G. 

1 . Choose  a random  element  a in  G. 

2.  For  i from  1 to  k do  the  following: 

2.1  Compute  b-k-an/pi. 

2.2  If  b = 1 then  go  to  step  1. 

3.  Return(a). 


4.81  Note  ( group  elements  of  high  order)  In  some  situations  it  may  be  desirable  to  have  an  el- 
ement of  high  order,  and  not  a generator.  Given  a generator  a in  a cyclic  group  G of  order 
n,  and  given  a divisor  d of  n,  an  element  j3  of  order  d in  G can  be  efficiently  obtained  as 
follows:  j3  = a"dd . If  q is  a prime  divisor  of  the  order  n of  a cyclic  group  G,  then  the  fol- 
lowing method  finds  an  element  /3  £ G of  order  q without  first  having  to  find  a generator 
of  G:  select  a random  element  g G G and  compute  (3  = gn^q\  repeat  until  3 f 1. 

4.82  Note  ( generators  of  Ff,, ) There  are  two  basic  approaches  to  finding  a generator  of  Ffn . 
Both  techniques  require  the  factorization  of  the  order  of  F(m , namely  2m  — 1. 

(i)  Generate  a monic  primitive  polynomial  /(x)  of  degree  m over  Z2  (Algorithm  4.78). 
The  finite  field  F 2 ™ can  then  be  represented  as  Z2[x]/ (/(x)),  the  set  of  all  polyno- 
mials over  Z2  modulo  /(x),  and  the  element  a = x is  a generator. 

(ii)  Select  the  method  for  representing  elements  of  F2™  first.  Then  use  Algorithm  4.80 
with  G = Fjjm  and  n = 2m  — 1 to  find  a generator  a of  F^m . 

If  n = pq,  where  p and  q are  distinct  odd  primes,  then  Z*  is  a non-cyclic  group  of  order 
4>{n)  = (p  — 1)(<2  — 1).  The  maximum  order  of  an  element  in  Z*  is  lcm(p  — 1 ,q  — 1). 
Algorithm  4. 83  is  a method  for  generating  such  an  element  which  requires  the  factorizations 
of  p — 1 and  q — 1. 


4.83  Algorithm  Selecting  an  element  of  maximum  order  in  z*,  where  n=pq 

INPUT:  two  distinct  odd  primes,  p,  q,  and  the  factorizations  of  p — 1 and  q 1. 

OUTPUT:  an  element  a of  maximum  order  lcm  (p  — 1 ,q—  1)  in  Z* , where  n = pq. 

1.  Use  Algorithm  4.80  with  G = Z*  and  n = p — 1 to  find  a generator  a of  Z*. 

2.  Use  Algorithm  4.80  with  G = Z*  and  n = q — 1 to  find  a generator  b of  Z*. 

3.  Use  Gauss’s  algorithm  (Algorithm  2.121)  to  find  an  integer  a,  1 < a < n 1, 
satisfying  a = a (mod  p)  and  a = b (mod  q). 

4.  Return! a:). 
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4.6.1  Selecting  a prime  p and  generator  of  z; 

In  cryptographic  applications  for  which  a generator  of  Z*  is  required,  one  usually  has  the 
flexibility  of  selecting  the  prime  p.  To  guard  against  the  Pohlig-Hellman  algorithm  for  com- 
puting discrete  logarithms  (Algorithm  3.63),  a security  requirement  is  that  p — 1 should  con- 
tain a “large”  prime  factor  q.  In  this  context,  “large”  means  that  the  quantity  q represents 
an  infeasible  amount  of  computation;  for  example,  q > 2160.  This  suggests  the  following 
algorithm  for  selecting  appropriate  parameters  (p.  a). 


4.84  Algorithm  Selecting  a fc-bit  prime  p and  a generator  a of  Z* 

INPUT:  the  required  bitlength  k of  the  prime  and  a security  parameter  t. 

OUTPUT:  a /c-bit  prime  p such  that  p — 1 has  a prime  factor  > t,  and  a generator  a of  Z*. 

1.  Repeat  the  following: 

1 . 1 Select  a random  /c-bit  prime  p ( for  example,  using  Algorithm  4.44). 

1.2  Factor  p — 1. 

Until  p — 1 has  a prime  factor  > t. 

2.  Use  Algorithm  4.80  with  G = Z * and  n = p — 1 to  find  a generator  a of  Z*. 

3.  Return(p,a). 


Algorithm  4.84  is  relatively  inefficient  as  it  requires  the  use  of  an  integer  factorization 
algorithm  in  step  1.2.  An  alternative  approach  is  to  generate  the  prime  p by  first  choosing 
a large  prime  q and  then  selecting  relatively  small  integers  R at  random  until  p = 2 Rq  + 1 
is  prime.  Since  p — 1 = 2 Rq,  the  factorization  of  p — 1 can  be  obtained  by  factoring  R.  A 
particularly  convenient  situation  occurs  by  imposing  the  condition  R = 1.  In  this  case  the 
factorization  of  p — 1 is  simply  2 q.  Furthermore,  since  <p{p  — 1)  = f(2q)  = cp(2 )4>(q)  = 
q — 1,  the  probability  that  a randomly  selected  element  a € Z*  is  a generator  is  ^ 5- 

4.85  Definition  A safe  prime  p is  a prime  of  the  form  p = 2q  + 1 where  q is  prime. 

Algorithm  4.86  generates  a safe  (probable)  prime  p and  a generator  of  z;. 


4.86  Algorithm  Selecting  a fc-bit  safe  prime  p and  a generator  a of  Z* 

INPUT:  the  required  bitlength  k of  the  prime. 

OUTPUT:  a /c-bit  safe  prime  p and  a generator  a of  Z*. 

1.  Do  the  following: 

1.1  Select  a random  (fc  — l)-bit  prime  q (for  example,  using  Algorithm  4.44). 

1 .2  Compute  p-^2q  + 1,  and  test  whether  p is  prime  ( for  example,  using  trial  divi- 
sion by  small  primes  and  Algorithm  4.24). 

Until  p is  prime. 

2.  Use  Algorithm  4.80  to  find  a generator  a of  Z*. 

3.  Return(p,a). 
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4.7  Notes  and  further  references 

§4.1 

Several  books  provide  extensive  treatments  of  primality  testing  including  those  by  Bres- 
soud  [198],  Bach  and  Shallit  [70],  and  Koblitz  [697].  The  book  by  Kranakis  [710]  offers 
a more  theoretical  approach.  Cohen  [263]  gives  a comprehensive  treatment  of  modern  pri- 
mality tests.  See  also  the  survey  articles  by  A.  Lenstra  [747]  and  A.  Lenstra  and  H.  Lenstra 
[748].  Facts  4.1  and  4.2  were  proven  in  1837  by  Dirichlet.  For  proofs  of  these  results,  see 
Chapter  16  of  Ireland  and  Rosen  [572].  Fact  4.3  is  due  to  Rosser  and  Schoenfeld  [1070], 
Bach  and  Shallit  [70]  have  further  results  on  the  distribution  of  prime  numbers. 

§4.2 

Fact4.13(i)  was  proven  by  Alford,  Granville,  and  Pomerance  [24];  see  also  Granville  [521], 
Fact  4. 1 3(ii)  is  due  to  Pomerance,  Selfridge,  and  Wagstaff  [996].  Pinch  [974]  showed  that 
there  are  105212  Carmichael  numbers  up  to  1015. 

The  Solovay-Strassen  probabilistic  primality  test  (Algorithm  4.18)  is  due  to  Solovay  and 
Strassen  [1163],  as  modified  by  Atkin  and  Larson  [57]. 

Fact  4.23  was  proven  independently  by  Monier  [892]  and  Rabin  [1024].  The  Miller-Rabin 
test  (Algorithm  4.24)  originated  in  the  work  of  Miller  [876]  who  presented  it  as  a non- 
probabilistic  polynomial-time  algorithm  assuming  the  correctness  of  the  Extended  Riemann 
Flypothesis  (ERH).  Rabin  [1021,  1024]  rephrased  Miller’s  algorithm  as  a probabilistic  pri- 
mality test.  Rabin’s  algorithm  required  a small  number  of  gcd  computations.  The  Miller- 
Rabin  test  (Algorithm  4.24)  is  a simplification  of  Rabin’s  algorithm  which  does  not  require 
any  gcd  computations,  and  is  due  to  Knuth  [692,  p.379].  Arazi  [55],  making  use  of  Mont- 
gomery modular  multiplication  (§  14.3.2),  showed  how  the  Miller-Rabin  test  can  be  imple- 
mented by  “divisionless  modular  exponentiations”  only,  yielding  a probabilistic  primality 
test  which  does  not  use  any  division  operations. 

Miller  [876],  appealing  to  the  work  of  Ankeny  [32],  proved  under  assumption  of  the  Ex- 
tended Riemann  Flypothesis  that,  if  n is  an  odd  composite  integer,  then  its  least  strong  wit- 
ness is  less  than  c(lnn)2,  where  c is  some  constant.  Bach  [63]  proved  that  this  constant 
may  be  taken  to  be  c = 2;  see  also  Bach  [64].  As  a consequence,  one  can  test  n for  pri- 
mality in  0((lgn)5)  bit  operations  by  executing  the  Miller-Rabin  algorithm  for  all  bases 
a < 2(ln  n)2.  This  gives  a deterministic  polynomial-time  algorithm  for  primality  testing, 
under  the  assumption  that  the  ERH  is  true. 

Table  4.1  is  from  Jaeschke  [630],  building  on  earlier  work  of  Pomerance,  Selfridge,  and 
Wagstaff  [996].  Arnault  [56]  found  the  following  46-digit  composite  integer 

n = 1195068768795265792518361315725116351898245581 

that  is  a strong  pseudoprime  to  all  the  11  prime  bases  up  to  31.  Arnault  also  found  a 337- 
digit  composite  integer  which  is  a strong  pseudoprime  to  all  46  prime  bases  up  to  199. 

The  Miller-Rabin  test  ( Algorithm  4.24)  randomly  generates  t independent  bases  a and  tests 
to  see  if  each  is  a strong  witness  for  n.  Let  n be  an  odd  composite  integer  and  let  t = 
[2  lg  n\ . In  situations  where  random  bits  are  scarce,  one  may  choose  instead  to  generate 
a single  random  base  a and  use  the  bases  a,  a + 1, . . . , a 4-  t — 1.  Bach  [66]  proved  that 
for  a randomly  chosen  integer  a,  the  probability  that  a,  a + 1, . . . , a + t — 1 are  all  strong 
liars  for  n is  bounded  above  by  n 1/4  + o(li;  jn  ()qlcr  words,  the  probability  that  the  Miller- 
Rabin  algorithm  using  these  bases  mistakenly  declares  an  odd  composite  integer  “prime” 
is  at  most  Peralta  and  Shoup  [969]  later  improved  this  bound  to 
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Monier  [892]  gave  exact  formulas  for  the  number  of  Fermat  liars,  Euler  liars,  and  strong 
liars  for  composite  integers.  One  consequence  of  Monier’s  formulas  is  the  following  im- 
provement (in  the  case  where  n is  not  a prime  power)  of  Fact  4.17  (see  Kranakis  [710, 
p.68]).  If  n > 3 is  an  odd  composite  integer  having  r distinct  prime  factors,  and  if  n = 3 
(mod  4),  then  there  are  at  most  <p(n)/2r~ 1 Euler  liars  for  n.  Another  consequence  is  the 
following  improvement  (in  the  case  where  n has  at  least  three  distinct  prime  factors)  of 
Fact  4.23.  If  n > 3 is  an  odd  composite  integer  having  r distinct  prime  factors,  then  there 
are  at  most  fi(n ) /2r_1  strong  liars  for  n.  Erdos  and  Pomerance  [373]  estimated  the  average 
number  of  Fermat  liars,  Euler  liars,  and  strong  liars  for  composite  integers.  Fact  4.30(h)  was 
proven  independently  by  Atkin  and  Larson  [57],  Monier  [892],  and  Pomerance,  Selfridge, 
and  Wagstaff  [996], 

Pinch  [975]  reviewed  the  probabilistic  primality  tests  used  in  the  Mathematics  Maple  V, 
Axiom,  and  Pari/GP  computer  algebra  systems.  Some  of  these  systems  use  a probabilistic 
primality  test  known  as  the  Lucas  test,  a description  of  this  test  is  provided  by  Pomerance, 
Selfridge,  and  Wagstaff  [996]. 

If  a number  n is  composite,  providing  a non-trivial  divisor  of  n is  evidence  of  its  composite- 
ness that  can  be  verified  in  polynomial  time  (by  long  division).  In  other  words,  the  decision 
problem  “is  n composite?”  belongs  to  the  complexity  class  NP  (cf.  Example  2.65).  Pratt 
[1000]  used  Fact  4.38  to  show  that  this  decision  problem  is  also  in  co-NP.  That  is,  if  n is 
prime  there  exists  some  evidence  of  this  (called  a certificate  of  primality)  that  can  be  veri- 
fied in  polynomial  time.  Note  that  the  issue  here  is  not  in  finding  such  evidence,  but  rather 
in  determining  whether  such  evidence  exists  which,  if  found,  allows  efficient  verification. 
Pomerance  [992]  improved  Pratt’s  results  and  showed  that  every  prime  n has  a certificate 
of  primality  which  requires  0(ln  n)  multiplications  modulo  n for  its  verification. 

Primality  of  the  Fermat  number  Fi„  — 22  +1  can  be  determined  in  deterministic  polyno- 
mial time  by  Pepin ’s  test:  for  k > 2,  Fk  is  prime  if  and  only  if  5(Ffc_1V2  = — i (mod  F ).). 
For  the  history  behind  Pepin’s  test  and  the  Lucas-Lehmer  test  (Algorithm  4.37),  see  Bach 
and  Shallit  [70], 

In  Fact  4.38,  the  integer  a does  not  have  to  be  the  same  for  all  q.  More  precisely,  Brillhart 
and  Selfridge  [212]  showed  that  Fact  4.38  can  be  refined  as  follows:  an  integer  n > 3 is 
prime  if  and  only  if  for  each  prime  divisor  q of  n 1,  there  exists  an  integer  aq  such  that 
a"-1  = 1 (mod  n ) and  aqn  1'l^q  ^ 1 (mod  n).  The  same  is  true  of  Fact  4.40,  which  is 
due  to  Pocklington  [981],  For  a proof  of  Fact  4.41,  see  Maurer  [818],  Fact  4.42  is  due  to 
Brillhart,  Lehmer,  and  Selfridge  [210];  a simplified  proof  is  given  by  Maurer  [818], 

The  original  Jacobi  sum  test  was  discovered  by  Adleman,  Pomerance,  and  Rumely  [16]. 
The  algorithm  was  simplified,  both  theoretically  and  algorithmically,  by  Cohen  and  FI. 
Lenstra  [265],  Cohen  and  A.  Lenstra  [264]  give  an  implementation  report  of  the  Cohen- 
Lenstra  Jacobi  sum  test;  see  also  Chapter  9 of  Cohen  [263].  Further  improvements  of  the 
Jacobi  sum  test  are  reported  by  Bosma  and  van  der  Hulst  [174]. 

Elliptic  curves  were  first  used  for  primality  proving  by  Goldwasser  and  Kilian  [477],  who 
presented  a randomized  algorithm  which  has  an  expected  running  time  of  0((ln  n)11)  bit 
operations  for  most  inputs  n.  Subsequently,  Adleman  and  Huang  [13]  designed  a primality 
proving  algorithm  using  hyperelliptic  curves  of  genus  two  whose  expected  running  time 
is  polynomial  for  all  inputs  n.  This  established  that  the  decision  problem  “is  n prime?” 
is  in  the  complexity  class  RP  (Definition  2.77(ii)).  The  Goldwasser- Kilian  and  Adleman- 
Huang  algorithms  are  inefficient  in  practice.  Atkin’s  test,  and  an  implementation  of  it,  is 
extensively  described  by  Atkin  and  Morain  [58];  see  also  Chapter  9 of  Cohen  [263].  The 
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largest  number  proven  prime  as  of  1996  by  a general  purpose  primality  proving  algorithm  is 
a 1505-decimal  digit  number,  accomplished  by  Morain  [903]  using  Atkin's  test.  The  total 
time  for  the  computation  was  estimated  to  be  4 years  of  CPU  time  distributed  among  21 
SUN  3/60  workstations.  See  also  Morain  [902]  for  an  implementation  report  on  Atkin’s 
test  which  was  used  to  prove  the  primality  of  the  1065-decimal  digit  number  (23539  + 1)/3. 

A proof  of  Mertens’s  theorem  can  be  found  in  Hardy  and  Wright  [540],  The  optimal  trial 
division  bound  (Note  4.45)  was  derived  by  Maurer  [818].  The  discussion  (Note  4.47)  on  the 
probability  P(X\Yt)  is  from  Beauchemin  et  al.  [81];  the  result  mentioned  in  the  last  sen- 
tence of  this  note  is  due  to  Kim  and  Pomerance  [673].  Fact  4.48  was  derived  by  Damgard, 
Landrock,  and  Pomerance  [300],  building  on  earlier  work  of  Erdos  and  Pomerance  [373], 
Kim  and  Pomerance  [673],  and  Damgard  and  Landrock  [299].  Table  4.3  is  Table  2 of  Dam- 
gard, Landrock,  and  Pomerance  [300].  The  suggestions  to  first  do  a Miller-Rabin  test  with 
base  o = 2 (Remark  4.50)  and  to  do  an  incremental  search  (Note  4.51)  in  Algorithm  4.44 
were  made  by  Brandt,  Damgard,  and  Landrock  [187],  The  error  and  failure  probabilities 
for  incremental  search  (Note  4.51  (i))  were  obtained  by  Brandt  and  Damgard  [ 1 86] ; consult 
this  paper  for  more  concrete  estimates  of  these  probabilities. 

Algorithm  4.53  for  generating  strong  primes  is  due  to  Gordon  [5 14, 5 1 3] . Gordon  originally 
proposed  computing  p0  = (V  1 — rs  1 j mod  rs  in  step  3.  Kaliski  (personal  communica- 
tion, April  1996)  proposed  the  modified  formula  po  = (2 sr~2  mod  r)s  — 1 which  can  be 
computed  more  efficiently.  Williams  and  Schmid  [1249]  proposed  an  algorithm  for  gener- 
ating strong  primes  p with  the  additional  constraint  that  p — 1 = 2q  where  q is  prime;  this 
algorithm  is  not  as  efficient  as  Gordon's  algorithm.  Heilman  and  Bach  [550]  recommended 
an  additional  constraint  on  strong  primes,  specifying  that  s — 1 (where  s is  a large  prime 
factor  of  p + 1)  must  have  a large  prime  factor  (see  § 15.2. 3(v));  this  thwarts  cycling  attacks 
based  on  Lucas  sequences. 

The  NIST  method  for  prime  generation  ( Algorithm  4.56)  is  that  recommended  by  the  NIST 
Federal  Information  Processing  Standards  Publication  (FIPS)  186  [406], 

Fact  4.59  and  Algorithm  4.62  for  provable  prime  generation  are  derived  from  Maurer  [818]. 
Algorithm  4.62  is  based  on  that  of  Shawe -Taylor  [1123].  Maurer  notes  that  the  total  diver- 
sity of  reachable  primes  using  the  original  version  of  his  algorithm  is  roughly  10%  of  all 
primes.  Maurer  also  presents  a more  complicated  algorithm  for  generating  provable  primes 
with  a better  diversity  than  Algorithm  4.62,  and  provides  extensive  implementation  details 
and  analysis  of  the  expected  running  time.  Maurer  [812]  provides  heuristicjustification  that 
Algorithm  4.62  generates  primes  with  virtually  uniform  distribution.  Mihailescu  [870]  ob- 
served that  Maurer’s  algorithm  can  be  improved  by  using  the  Eratosthenes  sieve  method 
for  trial  division  (in  step  8.2  of  Algorithm  4.62)  and  by  searching  for  a prime  n in  an  appro- 
priate interval  of  the  arithmetic  progression  2q+ 1,  4q+ 1,  Qq  + 1, . . . instead  of  generating 
i?’s  at  random  until  n = 2 Rq  + 1 is  prime.  The  second  improvement  comes  at  the  expense 
of  a reduction  of  the  set  of  primes  which  may  be  produced  by  the  algorithm.  Mihailescu’s 
paper  includes  extensive  analysis  and  an  implementation  report. 

Lidl  and  Niederreiter  [764]  provide  a comprehensive  treatment  of  irreducible  polynomials; 
proofs  of  Facts  4.67  and  4.68  can  be  found  there. 

Algorithm  4.69  for  testing  a polynomial  for  irreducibility  is  due  to  Ben-Or  [109].  The  fast- 
est algorithm  known  for  generating  irreducible  polynomials  is  due  to  Shoup  [1131]  and  has 
an  expected  running  time  of  0(m3  lg  m + m2  lgp)  Zp -operations.  There  is  no  determinis- 
tic polynomial-time  algorithm  known  for  finding  an  irreducible  polynomial  of  a specified 
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degree  m in  Zp\x],  Adleman  and  Lenstra  [14]  give  a deterministic  algorithm  that  runs  in 
polynomial  time  under  the  assumption  that  the  ERH  is  true.  The  best  deterministic  algo- 
rithm known  is  due  to  Shoup  [1129]  and  takes  O (to4  p)  ^-operations,  ignoring  powers 
of  log  to  and  log  p.  Gordon  [512]  presents  an  improved  method  for  computing  minimum 
polynomials  of  elements  in  IVm . 

Zierler  and  Brillhart  [1271]  provide  a table  of  all  irreducible  trinomials  of  degree  < 1000 
in  Z'2  [x] . Blake,  Gao,  and  Lambert  [146]  extended  this  list  to  all  irreducible  trinomials  of 
degree  < 2000  in  Z,2[x].  Fact  4.75  is  from  their  paper. 

Table  4.8  extends  a similar  table  by  Stahnke  [1168].  The  primitive  pentanomials  xm  + 
xkl  + xk2  + xks  + 1 listed  in  Table  4.8  have  the  following  properties:  (i)  k\  = + fe; 

(ii)  fc-2  > hi ; and  (iii)  k:i  is  as  small  as  possible,  and  for  this  particular  value  of  hi , h>  is 
as  small  as  possible.  The  rational  behind  this  form  is  explained  in  Stahnke’s  paper.  For 
each  to  < 5000  for  which  the  factorization  of  2m  — 1 is  known,  Zivkovic  [1275,  1276] 
gives  a primitive  trinomial  in  Z2[x],  one  primitive  polynomial  in  Z2[x]  having  five  non- 
zero terms,  and  one  primitive  polynomial  in  Z2[x]  having  seven  non-zero  terms,  provided 
that  such  polynomials  exist.  The  factorizations  of  2m  — 1 are  known  for  all  to  < 510  and 
for  some  additional  to  < 5000.  A list  of  such  factorizations  can  be  found  in  Brillhart  et 
al.  [211]  and  updates  of  the  list  are  available  by  anonymous  ftp  from  sable.ox.ac.uk 
in  the  /pub/math/ cunningham/  directory.  Hansen  and  Mullen  [538]  describe  some 
improvements  to  Algorithm  4.78  for  generating  primitive  polynomials.  They  also  give  ta- 
bles of  primitive  polynomials  of  degree  to  in  Zp[x\  for  each  prime  power  p"’  < 1050  with 
p < 97.  Moreover,  for  each  such  p and  to,  the  primitive  polynomial  of  degree  to  over  Zp 
listed  has  the  smallest  number  of  non-zero  coefficients  among  all  such  polynomials. 

The  entries  of  Table  4.9  were  obtained  from  Zierler  [1270]  for  Mersenne  exponents  M, , 
1 <3  < 23,  and  from  Kurita  and  Matsumoto  [719]  for  Mersenne  exponents  Mj,  24  <3  < 
27. 

Let  /(x)  G Z p[x]  be  an  irreducible  polynomial  of  degree  to,  and  consider  the  finite  field 
Fp  m = Zj,[x]/(/(x)).  Then  /(x)  is  called  a normal  polynomial  if  the  set  {x,  xp,  xp ” , . . . , 
xpm  forms  a basis  for  Fpm  over  Zp\  such  a basis  is  called  a normal  basis.  Mullin  et 
al.  [911]  introduced  the  concept  of  an  optimal  normal  basis  in  order  to  reduce  the  hardware 
complexity  of  multiplying  field  elements  in  the  finite  field  F-;m . A VLSI  implementation  of 
the  arithmetic  in  F2m  which  uses  optimal  normal  bases  is  described  by  Agnewetal.  [18],  A 
normal  polynomial  which  is  also  primitive  is  called  a primitive  normal  polynomial.  Dav- 
enport [301]  proved  that  for  any  prime  p and  positive  integer  to  there  exists  a primitive 
normal  polynomial  of  degree  to  in  Zp[x\.  See  also  Lenstra  and  Schoof  [760]  who  general- 
ized this  result  from  prime  fields  Zp  to  prime  power  fields  Fg.  Morgan  and  Mullen  [905] 
give  a primitive  normal  polynomial  of  degree  to  over  Zp  for  each  prime  power  prn  < 1050 
with  p < 97.  Moreover,  each  polynomial  has  the  smallest  number  of  non-zero  coefficients 
among  all  primitive  normal  polynomials  of  degree  to  over  Zp  \ in  fact,  each  polynomial  has 
at  most  five  non-zero  terms. 

No  polynomial-time  algorithm  is  known  for  finding  generators,  or  even  for  testing  whether 
an  element  is  a generator,  of  a finite  field  F,;  if  the  factorization  of  q — 1 is  unknown.  Shoup 
[1130]  considered  the  problem  of  deterministically  generating  in  polynomial  time  a subset 
of  Fg  that  contains  a generator,  and  presented  a solution  to  the  problem  for  the  case  where 
the  characteristic  p of  F?  is  small  (e.g.  p = 2).  Maurer  [818]  discusses  how  his  algorithm 
(Algorithm  4.62)  can  be  used  to  generate  the  parameters  (p,  a),  where  p is  a provable  prime 
and  a is  a generator  of  Z*. 
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5.1  Introduction 

The  security  of  many  cryptographic  systems  depends  upon  the  generation  of  unpredictable 
quantities.  Examples  include  the  keystream  in  the  one-time  pad  (§1.5.4),  the  secret  key  in 
the  DES  encryption  algorithm  (§7.4.2),  the  primes  p.  q in  the  RSA  encryption  (§8.2)  and 
digital  signature  (§11.3.1)  schemes,  the  private  key  a in  the  DSA  (§11.5.1),  and  the  chal- 
lenges used  in  challenge-response  identification  systems  (§10.3).  In  all  these  cases,  the 
quantities  generated  must  be  of  sufficient  size  and  be  “random”  in  the  sense  that  the  proba- 
bility of  any  particular  value  being  selected  must  be  sufficiently  small  to  preclude  an  adver- 
sary from  gaining  advantage  through  optimizing  a search  strategy  based  on  such  probability. 
For  example,  the  key  space  for  DES  has  size  256.  If  a secret  key  k were  selected  using  a 
true  random  generator,  an  adversary  would  on  average  have  to  try  255  possible  keys  before 
guessing  the  correct  key  k.  If,  on  the  other  hand,  a key  k were  selected  by  first  choosing  a 
16-bit  random  secret  s,  and  then  expanding  it  into  a 56-bit  key  k using  a complicated  but 
publicly  known  function  /,  the  adversary  would  on  average  only  need  to  try  215  possible 
keys  (obtained  by  running  every  possible  value  for  s through  the  function  /). 

This  chapter  considers  techniques  for  the  generation  of  random  and  pseudorandom 
bits  and  numbers.  Related  techniques  for  pseudorandom  bit  generation  that  are  generally 
discussed  in  the  literature  in  the  context  of  stream  ciphers,  including  linear  and  nonlinear 
feedback  shift  registers  (Chapter  6)  and  the  output  feedback  mode  (OFB)  of  block  ciphers 
(Chapter  7),  are  addressed  elsewhere  in  this  book. 


Chapter  outline 

The  remainder  of  §5.1  introduces  basic  concepts  relevant  to  random  and  pseudorandom 
bit  generation.  §5.2  considers  techniques  for  random  bit  generation,  while  §5.3  considers 
some  techniques  for  pseudorandom  bit  generation.  §5.4  describes  statistical  tests  designed 
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to  measure  the  quality  of  a random  bit  generator.  Cryptographically  secure  pseudorandom 
bit  generators  are  the  topic  of  §5.5.  §5.6  concludes  with  references  and  further  chapter  notes. 


5.1.1  Background  and  Classification 

5.1  Definition  A random  bit  generator  is  a device  or  algorithm  which  outputs  a sequence  of 
statistically  independent  and  unbiased  binary  digits. 

5.2  Remark  ( random  bits  vs.  random  numbers)  A random  bit  generator  can  be  used  to  gener- 
ate (uniformly  distributed)  random  numbers.  For  example,  a random  integer  in  the  interval 
[0,  n\  can  be  obtained  by  generating  a random  bit  sequence  of  length  [_lg  n\  +1,  and  con- 
verting it  to  an  integer;  if  the  resulting  integer  exceeds  n,  one  option  is  to  discard  it  and 
generate  a new  random  bit  sequence. 

§5.2  outlines  some  physical  sources  of  random  bits  that  are  used  in  practice.  Ideally, 
secrets  required  in  cryptographic  algorithms  and  protocols  should  be  generated  with  a (true) 
random  bit  generator.  However,  the  generation  of  random  bits  is  an  inefficient  procedure  in 
most  practical  environments.  Moreover,  it  may  be  impractical  to  securely  store  and  transmit 
a large  number  of  random  bits  if  these  are  required  in  applications  such  as  the  one-time  pad 
(§6.1.1).  In  such  situations,  the  problem  can  be  ameliorated  by  substituting  a random  bit 
generator  with  a pseudorandom  bit  generator. 

5.3  Definition  A pseudorandom  bit  generator  (PRBG)  is  a deterministic1  algorithm  which, 
given  a truly  random  binary  sequence  of  length  k,  outputs  a binary  sequence  of  length  l 3>  k 
which  “appears”  to  be  random.  The  input  to  the  PRBG  is  called  the  seed , while  the  output 
of  the  PRBG  is  called  a pseudorandom  bit  sequence. 

The  output  of  a PRBG  is  not  random;  in  fact,  the  number  of  possible  output  sequences  is  at 
most  a small  fraction,  namely  2k /2l,  of  all  possible  binary  sequences  of  length  l.  The  intent 
is  to  take  a small  truly  random  sequence  and  expand  it  to  a sequence  of  much  larger  length, 
in  such  a way  that  an  adversary  cannot  efficiently  distinguish  between  output  sequences  of 
the  PRBG  and  truly  random  sequences  of  length  l.  §5.3  discusses  ad-hoc  techniques  for 
pseudorandom  bit  generation.  In  order  to  gain  confidence  that  such  generators  are  secure, 
they  should  be  subjected  to  a variety  of  statistical  tests  designed  to  detect  the  specific  char- 
acteristics expected  of  random  sequences.  A collection  of  such  tests  is  given  in  §5.4.  As 
the  following  example  demonstrates,  passing  these  statistical  tests  is  a necessary  but  not 
sufficient  condition  for  a generator  to  be  secure. 

5.4  Example  ( linear  congruential  generators)  A linear  congruential  generator  produces  a 
pseudorandom  sequence  of  numbers  xi,x%,X3,. . . according  to  the  linear  recurrence 

xn  = axn- 1 + b mod  m,  n > 1; 

integers  a,  b,  and  m are  parameters  which  characterize  the  generator,  while  xq  is  the  (secret) 
seed.  While  such  generators  are  commonly  used  for  simulation  purposes  and  probabilistic 
algorithms,  and  pass  the  statistical  tests  of  §5.4,  they  are  predictable  and  hence  entirely  in- 
secure for  cryptographic  purposes:  given  a partial  output  sequence,  the  remainder  of  the 
sequence  can  be  reconstructed  even  if  the  parameters  a,  b , and  m are  unknown.  □ 

1 Deterministic  here  means  that  given  the  same  initial  seed,  the  generator  will  always  produce  the  same  output 
sequence. 
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A minimum  security  requirement  for  a pseudorandom  bit  generator  is  that  the  length 
k of  the  random  seed  should  be  sufficiently  large  so  that  a search  over  2k  elements  (the 
total  number  of  possible  seeds)  is  infeasible  for  the  adversary.  Two  general  requirements 
are  that  the  output  sequences  of  a PRBG  should  be  statistically  indistinguishable  from  truly 
random  sequences,  and  the  output  bits  should  be  unpredictable  to  an  adversary  with  limited 
computational  resources;  these  requirements  are  captured  in  Definitions  5.5  and  5.6. 

5.5  Definition  A pseudorandom  bit  generator  is  said  to  pass  all  polynomial-time 2 statistical 
tests  if  no  polynomial-time  algorithm  can  correctly  distinguish  between  an  output  sequence 
of  the  generator  and  a truly  random  sequence  of  the  same  length  with  probability  signifi- 
cantly greater  that  A. 

5.6  Definition  A pseudorandom  bit  generator  is  said  to  pass  the  next-bit  test  if  there  is  no 
polynomial-time  algorithm  which,  on  input  of  the  first  l bits  of  an  output  sequence  .s,  can 
predict  the  (1  + l)st  bit  of  s with  probability  significantly  greater  than  A. 

Although  Definition  5.5  appears  to  impose  a more  stringent  security  requirement  on 
pseudorandom  bit  generators  than  Definition  5.6  does,  the  next  result  asserts  that  they  are, 
in  fact,  equivalent. 

5.7  Fact  ( universality  of  the  next-bit  test ) A pseudorandom  bit  generator  passes  the  next-bit 
test  if  and  only  if  it  passes  all  polynomial-time  statistical  tests. 

5.8  Definition  A PRBG  that  passes  the  next-bit  test  (possibly  under  some  plausible  but  un- 
proved mathematical  assumption  such  as  the  intractability  of  factoring  integers)  is  called  a 
cryptographically  secure  pseudorandom  bit  generator  (CSPRBG). 

5.9  Remark  ( asymptotic  nature  of  Definitions  5.5,  5.6,  and  5.8)  Each  of  the  three  definitions 
above  are  given  in  complexity-theoretic  terms  and  are  asymptotic  in  nature  because  the  no- 
tion of  “polynomial-time”  is  meaningful  for  asymptotically  large  inputs  only;  the  resulting 
notions  of  security  are  relative  in  the  same  sense.  To  be  more  precise  in  Definitions  5.5, 5.6, 
5.8,  and  Fact  5.7,  a pseudorandom  bit  generator  is  actually  a family  of  such  PRBGs.  Thus 
the  theoretical  security  results  for  a family  of  PRBGs  are  only  an  indirect  indication  about 
the  security  of  individual  members. 

Two  cryptographically  secure  pseudorandom  bit  generators  are  presented  in  §5.5. 


5.2  Random  bit  generation 

A (true)  random  bit  generator  requires  a naturally  occurring  source  of  randomness.  De- 
signing a hardware  device  or  software  program  to  exploit  this  randomness  and  produce  a 
bit  sequence  that  is  free  of  biases  and  correlations  is  a difficult  task.  Additionally,  for  most 
cryptographic  applications,  the  generator  must  not  be  subject  to  observation  or  manipula- 
tion by  an  adversary.  This  section  surveys  some  potential  sources  of  random  bits. 

Random  bit  generators  based  on  natural  sources  of  randomness  are  subject  to  influence 
by  external  factors,  and  also  to  malfunction.  It  is  imperative  that  such  devices  be  tested 
periodically,  for  example  by  using  the  statistical  tests  of  §5.4. 

2The  running  time  of  the  test  is  bounded  by  a polynomial  in  the  length  l of  the  output  sequence. 
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(i)  Hardware-based  generators 

Hardware-based  random  bit  generators  exploit  the  randomness  which  occurs  in  some  phys- 
ical phenomena.  Such  physical  processes  may  produce  bits  that  are  biased  or  correlated,  in 
which  case  they  should  be  subjected  to  de-skewing  techniques  mentioned  in  (iii)  below. 
Examples  of  such  physical  phenomena  include: 

1 . elapsed  time  between  emission  of  particles  during  radioactive  decay; 

2.  thermal  noise  from  a semiconductor  diode  or  resistor; 

3.  the  frequency  instability  of  a free  running  oscillator; 

4.  the  amount  a metal  insulator  semiconductor  capacitor  is  charged  during  a fixed  period 
of  time; 

5.  air  turbulence  within  a sealed  disk  drive  which  causes  random  fluctuations  in  disk 
drive  sector  read  latency  times;  and 

6.  sound  from  a microphone  or  video  input  from  a camera. 

Generators  based  on  the  first  two  phenomena  would,  in  general,  have  to  be  built  externally 
to  the  device  using  the  random  bits,  and  hence  may  be  subject  to  observation  or  manipula- 
tion by  an  adversary.  Generators  based  on  oscillators  and  capacitors  can  be  built  on  VLSI 
devices;  they  can  be  enclosed  in  tamper-resistant  hardware,  and  hence  shielded  from  active 
adversaries. 

(ii)  Software-based  generators 

Designing  a random  bit  generator  in  software  is  even  more  difficult  than  doing  so  in  hard- 
ware. Processes  upon  which  software  random  bit  generators  may  be  based  include: 

1 . the  system  clock; 

2.  elapsed  time  between  keystrokes  or  mouse  movement; 

3.  content  of  input/output  buffers; 

4.  user  input;  and 

5.  operating  system  values  such  as  system  load  and  network  statistics. 

The  behavior  of  such  processes  can  vary  considerably  depending  on  various  factors,  such 
as  the  computer  platform.  It  may  also  be  difficult  to  prevent  an  adversary  from  observing  or 
manipulating  these  processes.  For  instance,  if  the  adversary  has  a rough  idea  of  when  a ran- 
dom sequence  was  generated,  she  can  guess  the  content  of  the  system  clock  at  that  time  with 
a high  degree  of  accuracy.  A well-designed  software  random  bit  generator  should  utilize  as 
many  good  sources  of  randomness  as  are  available.  Using  many  sources  guards  against  the 
possibility  of  a few  of  the  sources  failing,  or  being  observed  or  manipulated  by  an  adver- 
sary. Each  source  should  be  sampled,  and  the  sampled  sequences  should  be  combined  using 
a complex  mixing  function-,  one  recommended  technique  for  accomplishing  this  is  to  apply 
a cryptographic  hash  function  such  as  SHA-1  (Algorithm  9.53)  or  MD5  (Algorithm  9.51)  to 
a concatenation  of  the  sampled  sequences.  The  purpose  of  the  mixing  function  is  to  distill 
the  (true)  random  bits  from  the  sampled  sequences. 

(iii)  De-skewing 

A natural  source  of  random  bits  may  be  defective  in  that  the  output  bits  may  be  biased  (the 
probability  of  the  source  emitting  a 1 is  not  equal  to  ^)  or  correlated  (the  probability  of 
the  source  emitting  a 1 depends  on  previous  bits  emitted).  There  are  various  techniques  for 
generating  truly  random  bit  sequences  from  the  output  bits  of  such  a defective  generator; 
such  techniques  are  called  de-skewing  techniques. 
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5.10  Example  ( removing  biases  in  output  bits)  Suppose  that  a generator  produces  biased  but 
uncorrelated  bits.  Suppose  that  the  probability  of  a 1 is  p,  and  the  probability  of  a 0 is  1 —p, 
where  p is  unknown  but  fixed,  0 < p < 1.  If  the  output  sequence  of  such  a generator  is 
grouped  into  pairs  of  bits,  with  a 10  pair  transformed  to  a 1,  a 01  pair  transformed  to  a 0,  and 
00  and  1 1 pairs  discarded,  then  the  resulting  sequence  is  both  unbiased  and  uncorrelated.  □ 

A practical  (although  not  provable)  de-skewing  technique  is  to  pass  sequences  whose 
bits  are  biased  or  correlated  through  a cryptographic  hash  function  such  as  SHA-1  or  MD5. 


5.3  Pseudorandom  bit  generation 

A one-way  function  / (Definition  1.12)  can  be  utilized  to  generate  pseudorandom  bit  se- 
quences (Definition  5.3)  by  first  selecting  a random  seed  s,  and  then  applying  the  function  to 
the  sequence  of  values  s,  s+1,  s+2, . . . ; the  output  sequence  is  f(s),  f(s+ 1),  f(s+ 2), 
Depending  on  the  properties  of  the  one-way  function  used,  it  may  be  necessary  to  only  keep 
a few  bits  of  the  output  values  f(s  + i)  in  order  to  remove  possible  correlations  between 
successive  values.  Examples  of  suitable  one-way  functions  / include  a cryptographic  hash 
function  such  as  SHA-1  (Algorithm  9.53),  or  a block  cipher  such  as  DES  (§7.4)  with  secret 
key  k. 

Although  such  ad-hoc  methods  have  not  been  proven  to  be  cryptographically  secure, 
they  appear  sufficient  for  most  applications.  Two  such  methods  for  pseudorandom  bit  and 
number  generation  which  have  been  standardized  are  presented  in  §5.3.1  and  §5.3.2.  Tech- 
niques for  the  cryptographically  secure  generation  of  pseudorandom  bits  are  given  in  §5.5. 


5.3.1  ANSI  X9.1 7 generator 

Algorithm  5. 1 1 is  a U.S.  Federal  Information  Processing  Standard  (FIPS)  approved  method 
from  the  ANSI  X9.17  standard  for  the  purpose  of  pseudorandomly  generating  keys  and 
initialization  vectors  for  use  with  DES.  Ek  denotes  DES  E-D-E  two-key  triple-encryption 
(Definition  7.32)  under  a key  fc;  the  key  k should  be  reserved  exclusively  for  use  in  this 
algorithm. 


5.1 1 Algorithm  ANSI  X9.1 7 pseudorandom  bit  generator 

INPUT:  a random  (and  secret)  64-bit  seed  s,  integer  to,  and  DES  E-D-E  encryption  key  k. 
OUTPUT:  to  pseudorandom  64-bit  strings  x\ .x-i. . . . , xm. 

1.  Compute  the  intermediate  value  I = Ek(D),  where  D is  a 64-bit  representation  of 
the  date/time  to  as  fine  a resolution  as  is  available. 

2.  For  i from  1 to  to  do  the  following: 

2.1  Xji — Ek{I  0 s). 

2.2  si — Ek  (a:*  0 7). 

3.  Returned,  x2,  ■ ■ ■ ,xm). 


Each  output  bitstring  x*  may  be  used  as  an  initialization  vector  (IV)  for  one  of  the  DES 
modes  of  operation  (§7.2.2).  To  obtain  a DES  key  from  x7-,  every  eighth  bit  of  x,  should  be 
reset  to  odd  parity  (cf.  §7.4.2). 
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5.3.2  FIPS  186  generator 

The  algorithms  presented  in  this  subsection  are  FIPS-approved  methods  for  pseudorandom- 
ly  generating  the  secret  parameters  for  the  DSA  (§11.5.1).  Algorithm  5.12  generates  DSA 
private  keys  a,  while  Algorithm  5. 14  generates  the  per- message  secrets  k to  be  used  in  sign- 
ing messages.  Both  algorithms  use  a secret  seed  s which  should  be  randomly  generated,  and 
utilize  a one-way  function  constructed  by  using  either  SHA- 1 ( Algorithm  9.53)  or  DES  ( Al- 
gorithm 7.82),  respectively  described  in  Algorithms  5.15  and  5.16. 


5.12  Algorithm  FIPS  186  pseudorandom  number  generator  for  DSA  private  keys 
INPUT:  an  integer  m and  a 160-bit  prime  number  q. 

OUTPUT:  m pseudorandom  numbers  ai,  a->,  • • • , cim  in  the  interval  [0,  q — 1]  which  may 
be  used  as  DSA  private  keys. 

1.  If  Algorithm  5.15  is  to  be  used  in  step  4.3  then  select  an  arbitrary  integer  6,  160  < 
b < 512;  if  Algorithm  5.16  is  to  be  used  then  set  b<— 160. 

2.  Generate  a random  (and  secret)  6-bit  seed  s. 

3.  Define  the  160-bit  string  t = 67452301  efcdab89  98badcfe  1032547  6 
c 3 d2  e 1 f 0 (in  hexadecimal) . 

4.  For  i from  1 to  m do  the  following: 

4.1  (optional  user  input)  Either  select  a 6-bit  string  y.j , or  set  j/j<—  0. 

4.2  Zi<—  (s  + yi)  mod  2b. 

4.3  ai<—  G(t,  Zi)  mod  q.  ( G is  either  that  defined  in  Algorithm  5.15  or  5.16.) 

4.4  s<—  (1  + s + Oj)  mod  2b. 

5.  Return(ai,  o2, . . . , am). 


5.13  Note  ( optional  user  input ) Algorithm  5.12  permits  a user  to  augment  the  seed  s with  ran- 
dom or  pseudorandom  strings  derived  from  alternate  sources.  The  user  may  desire  to  do 
this  if  she  does  not  trust  the  quality  or  integrity  of  the  random  bit  generator  which  may  be 
built  into  a cryptographic  module  implementing  the  algorithm. 


5.14  Algorithm  FIPS  186  pseudorandom  number  generator  for  DSA  per-message  secrets 
INPUT:  an  integer  m and  a 160-bit  prime  number  q. 

OUTPUT:  to  pseudorandom  numbers  k±,  fc2,  ■ ■ ■ , km  in  the  interval  [0,  q 1]  which  may 
be  used  as  the  per-message  secret  numbers  k in  the  DSA. 

1.  If  Algorithm  5.15  is  to  be  used  in  step  4.1  then  select  an  integer  6,  160  < 6 < 512; 
if  Algorithm  5.16  is  to  be  used  then  set  6t— 160. 

2.  Generate  a random  (and  secret)  6-bit  seed  s. 

3.  Define  the  160-bit  string  t = efcdab8 9 98badcfe  1032547  6 c3d2elf0 
67452301  (in  hexadecimal). 

4.  For  i from  1 to  to  do  the  following: 

4.1  ki<—  G(t,  s)  mod  q.  ( G is  either  that  defined  in  Algorithm  5.15  or  5.16.) 

4.2  s<r-  (1  + s + ki ) mod  2b. 

5.  Return) fci,  fc2, .. . , km). 
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5.15  Algorithm  FIPS  186  one-way  function  using  SHA-1 

INPUT:  a 160-bit  string  t and  a 6-bit  string  c,  160  < 6 < 512. 

OUTPUT:  a 160-bit  string  denoted  G{t,  c). 

1.  Break  up  t into  five  32-bit  blocks:  i = JTi||IT2  11-^3  ll-f^ill-Hs- 

2.  Pad  c with  0’s  to  obtain  a 512-bit  message  block:  X<s—  c|| 0S12— b. 

3.  Divide  X into  16  32-bit  words:  xqX\  . . . X15,  and  set  m<—  1. 

4.  Execute  step  4 of  SHA-1  (Algorithm  9.53).  (This  alters  the  Hi’s.) 

5.  The  output  is  the  concatenation:  G(t,c)  = Hi\\H2\\H3,\\Hi\\H5. 


5.16  Algorithm  FIPS  186  one-way  function  using  DES 

INPUT:  two  160-bit  strings  t and  c. 

OUTPUT:  a 160-bit  string  denoted  G{t , c). 

1.  Break  up  t into  five  32-bit  blocks:  f = fo||fi||f2p3p4- 

2.  Breakup  cinto  five  32-bit  blocks:  c = Co  1 1 ci  1 1 C2 1 1 C3 1 1 C4 . 

3.  For  i from  0 to  4 do  the  following:  1,;  0 c*. 

4.  For  i from  0 to  4 do  the  following: 

4.1  61^—  C(i+4)moci5,  62^—  C(i+3)mod5- 

4.2  CL\  i Xi , G2I  ^(z+l)mod3  © m0d5 • 

4.3  ai  ||a.2,  Bi^bi  || 62-  where  6^  denotes  the  24  least  significant  bits  of  bi. 

4.4  Use  DES  with  key  B to  encrypt  A:  r/jt— DESb(A). 

4.5  Break  up  yi  into  two  32-bit  blocks:  yt  = Li  ||f?j. 

5.  For  i from  0 to  4 do  the  following:  z^Li  0 f?(i+2)mod5  © £(i+3)mods- 

6.  The  output  is  the  concatenation:  G(t,c)  = zo||zi||z2||z3||z4. 


5.4  Statistical  tests 

This  section  presents  some  tests  designed  to  measure  the  quality  of  a generator  purported 
to  be  a random  bit  generator  (Definition  5.1).  While  it  is  impossible  to  give  a mathematical 
proof  that  a generator  is  indeed  a random  bit  generator,  the  tests  described  here  help  detect 
certain  kinds  of  weaknesses  the  generator  may  have.  This  is  accomplished  by  taking  a sam- 
ple output  sequence  of  the  generator  and  subjecting  it  to  various  statistical  tests.  Each  statis- 
tical test  determines  whether  the  sequence  possesses  a certain  attribute  that  a truly  random 
sequence  would  be  likely  to  exhibit;  the  conclusion  of  each  test  is  not  definite,  but  rather 
probabilistic.  An  example  of  such  an  attribute  is  that  the  sequence  should  have  roughly  the 
same  number  of  0’s  as  l’s.  If  the  sequence  is  deemed  to  have  failed  any  one  of  the  statistical 
tests,  the  generator  may  be  rejected  as  being  non-random;  alternatively,  the  generator  may 
be  subjected  to  further  testing.  On  the  other  hand,  if  the  sequence  passes  all  of  the  statisti- 
cal tests,  the  generator  is  accepted  as  being  random.  More  precisely,  the  term  “accepted” 
should  be  replaced  by  “not  rejected”,  since  passing  the  tests  merely  provides  probabilistic 
evidence  that  the  generator  produces  sequences  which  have  certain  characteristics  of  ran- 
dom sequences. 

§5.4.1  and  §5.4.2  provide  some  relevant  background  in  statistics.  §5.4.3  establishes 
some  notation  and  lists  Golomb’s  randomness  postulates.  Specific  statistical  tests  for  ran- 
domness are  described  in  §5.4.4  and  §5.4.5. 
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5.4.1  The  normal  and  chi-square  distributions 

The  normal  and  %2  distributions  are  widely  used  in  statistical  applications. 

5.17  Definition  If  the  result  X of  an  experiment  can  be  any  real  number,  then  X is  said  to  be 
a continuous  random  variable. 


5.18  Definition  A probability  density  function  of  a continuous  random  variable  X is  a function 
f(x)  which  can  be  integrated  and  satisfies: 

(i)  f(x)  > 0 for  all  i£l; 

(ii)  J0°00f(x)dx  = l;and 

(iii)  for  all  a,  b £ R,  P(a  < X < b)  = J ^ f(x)  dx. 

(i)  The  normal  distribution 

The  normal  distribution  arises  in  practice  when  a large  number  of  independent  random  vari- 
ables having  the  same  mean  and  variance  are  summed. 


5.19  Definition  A (continuous)  random  variable  X has  a normal  distribution  with  mean  p and 
variance  o2  if  its  probability  density  function  is  defined  by 

-(x-p)2' 


fix)  = 


o 2n 


exp 


2a2 


— OO  < X < oo. 


Notation:  X is  said  to  be  N(p,  a2).  If  X is  N(0, 1),  then  X is  said  to  have  a standard 
normal  distribution. 


A graph  of  the  N( 0, 1)  distribution  is  given  in  Figure  5.1.  The  graph  is  symmetric 


Figure  5.1:  The  normal  distribution  N( 0, 1). 


about  the  vertical  axis,  and  hence  P(X  > x)  = P(X  < —x)  for  any  x.  Table  5.1  gives 
some  percentiles  for  the  standard  normal  distribution.  For  example,  the  entry  ( a = 0.05, 
x = 1.6449)  means  that  if  X is  A^(0, 1),  then  X exceeds  1.6449  about  5%  of  the  time. 

Fact  5 .20  can  be  used  to  reduce  questions  about  a normal  distribution  to  questions  about 
the  standard  normal  distribution. 
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o 

0.1 

0.05 

0.025 

0.01 

0.005 

0.0025 

0.001 

0.0005 

o 

1.2816 

1.6449 

1.9600 

2.3263 

2.5758 

2.8070 

3.0902 

3.2905 

Table  5.1 : Selected  percentiles  of  the  standard  normal  distribution.  IfX  is  a random  variable  having 
a standard  normal  distribution,  then  P(X  > x)  = a. 


5.20  Fact  If  the  random  variable  X is  N(p.  <r2),  then  the  random  variable  Z = {X  — p)/a  is 
N(  0,1). 


(ii)  The  x2  distribution 

The  x2  distribution  can  be  used  to  compare  the  goodness-of-fit  of  the  observed  frequencies 
of  events  to  their  expected  frequencies  under  a hypothesized  distribution.  The  x2  distribu- 
tion with  v degrees  of  freedom  arises  in  practice  when  the  squares  of  v independent  random 
variables  having  standard  normal  distributions  are  summed. 


5.21  Definition  Let  v > 1 be  an  integer.  A (continuous)  random  variable  X has  a x2  (chi-squ- 
are) distribution  with  v degrees  of  freedom  if  its  probability  density  function  is  defined  by 


1 


f(x)={  T(v/2)2V/2 

0, 


c(v/2)  te  */2!  0 < x < oo, 

x < 0, 


where  T is  the  gamma  function.3  The  mean  and  variance  of  this  distribution  are  /;  — v, 
and  a2  = 2v. 


A graph  of  the  x2  distribution  with  v = 7 degrees  of  freedom  is  given  in  Figure  5.2. 
Table  5.2  gives  some  percentiles  of  the  x2  distribution  for  various  degrees  of  freedom.  For 


Figure  5.2:  The  X2  (chi-square)  distribution  with  v = 7 degrees  of  freedom. 


example,  the  entry  in  row  v = 5 and  column  a = 0.05  is  x = 11.0705;  this  means  that  if 
X has  a x2  distribution  with  5 degrees  of  freedom,  then  X exceeds  11.0705  about  5%  of 
the  time. 

3The  gamma  function  is  defined  by  T(t)  = J0°°  xt~1e~xdx,  for  t > 0. 
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a 

V 

0.100 

0.050 

0.025 

0.010 

0.005 

0.001 

1 

2.7055 

3.8415 

5.0239 

6.6349 

7.8794 

10.8276 

2 

4.6052 

5.9915 

7.3778 

9.2103 

10.5966 

13.8155 

3 

6.2514 

7.8147 

9.3484 

1 1 .3449 

12.8382 

16.2662 

4 

7.7794 

9.4877 

11.1433 

13.2767 

14.8603 

18.4668 

5 

9.2364 

11.0705 

12.8325 

15.0863 

16.7496 

20.5150 

6 

10.6446 

12.5916 

14.4494 

16.8119 

18.5476 

22.4577 

7 

12.0170 

14.0671 

16.0128 

18.4753 

20.2777 

24.3219 

8 

13.3616 

15.5073 

17.5345 

20.0902 

21.9550 

26.1245 

9 

14.6837 

16.9190 

19.0228 

21.6660 

23.5894 

27.8772 

10 

15.9872 

18.3070 

20.4832 

23.2093 

25.1882 

29.5883 

11 

17.2750 

19.6751 

21.9200 

24.7250 

26.7568 

31.2641 

12 

18.5493 

21.0261 

23.3367 

26.2170 

28.2995 

32.9095 

13 

19.8119 

22.3620 

24.7356 

27.6882 

29.8195 

34.5282 

14 

21.0641 

23.6848 

26.1189 

29.1412 

31.3193 

36.1233 

15 

22.3071 

24.9958 

27.4884 

30.5779 

32.8013 

37.6973 

16 

23.5418 

26.2962 

28.8454 

31.9999 

34.2672 

39.2524 

17 

24.7690 

27.5871 

30.1910 

33.4087 

35.7185 

40.7902 

18 

25.9894 

28.8693 

31.5264 

34.8053 

37.1565 

42.3124 

19 

27.2036 

30.1435 

32.8523 

36.1909 

38.5823 

43.8202 

20 

28.4120 

31.4104 

34.1696 

37.5662 

39.9968 

45.3147 

21 

29.6151 

32.6706 

35.4789 

38.9322 

41.4011 

46.7970 

22 

30.8133 

33.9244 

36.7807 

40.2894 

42.7957 

48.2679 

23 

32.0069 

35.1725 

38.0756 

41.6384 

44.1813 

49.7282 

24 

33.1962 

36.4150 

39.3641 

42.9798 

45.5585 

51.1786 

25 

34.3816 

37.6525 

40.6465 

44.3141 

46.9279 

52.6197 

26 

35.5632 

38.8851 

41.9232 

45.6417 

48.2899 

54.0520 

27 

36.7412 

40.1133 

43.1945 

46.9629 

49.6449 

55.4760 

28 

37.9159 

41.3371 

44.4608 

48.2782 

50.9934 

56.8923 

29 

39.0875 

42.5570 

45.7223 

49.5879 

52.3356 

58.3012 

30 

40.2560 

43.7730 

46.9792 

50.8922 

53.6720 

59.7031 

31 

41.4217 

44.9853 

48.2319 

52.1914 

55.0027 

61.0983 

63 

77.7454 

82.5287 

86.8296 

92.0100 

95.6493 

103.4424 

127 

147.8048 

154.3015 

160.0858 

166.9874 

171.7961 

181.9930 

255 

284.3359 

293.2478 

301.1250 

310.4574 

316.9194 

330.5197 

511 

552.3739 

564.6961 

575.5298 

588.2978 

597.0978 

615.5149 

1023 

1081.3794 

1098.5208 

1113.5334 

1131.1587 

1143.2653 

1168.4972 

Table  5.2:  Selected  percentiles  of  the  x2  (chi-square)  distribution.  A (v,  a)-entrv  ofx  in  the  table 
has  the  following  meaning:  if  X is  a random  variable  having  a x2  distribution  with  v degrees  of 
freedom , then  P(X  > x)  = a. 
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Fact  5.22  relates  the  normal  distribution  to  the  x2  distribution. 

5.22  Fact  If  the  random  variable  X is  N(p,  ct2),  a2  > 0,  then  the  random  variable  Z = (X  — 
p)2/o2  has  a x2  distribution  with  1 degree  of  freedom.  In  particular,  if  X is  N( 0, 1),  then 
Z = X2  has  a x2  distribution  with  1 degree  of  freedom. 


5.4.2  Hypothesis  testing 

A statistical  hypothesis , denoted  Hq,  is  an  assertion  about  a distribution  of  one  or  more  ran- 
dom variables.  A test  of  a statistical  hypothesis  is  a procedure,  based  upon  observed  values 
of  the  random  variables,  that  leads  to  the  acceptance  or  rejection  of  the  hypothesis  Hq.  The 
test  only  provides  a measure  of  the  strength  of  the  evidence  provided  by  the  data  against 
the  hypothesis;  hence,  the  conclusion  of  the  test  is  not  definite,  but  rather  probabilistic. 

5.23  Definition  The  significance  level  a of  the  test  of  a statistical  hypothesis  Hq  is  the  proba- 
bility of  rejecting  Hq  when  it  is  true. 

In  this  section,  H0  will  be  the  hypothesis  that  a given  binary  sequence  was  produced 
by  a random  bit  generator.  If  the  significance  level  a of  a test  of  H0  is  too  high,  then  the  test 
may  reject  sequences  that  were,  in  fact,  produced  by  a random  bit  generator  (such  an  error 
is  called  a Type  I error).  On  the  other  hand,  if  the  significance  level  of  a test  of  Hq  is  too 
low,  then  there  is  the  danger  that  the  test  may  accept  sequences  even  though  they  were  not 
produced  by  a random  bit  generator  (such  an  error  is  called  a Type  II  error).4  It  is,  therefore, 
important  that  the  test  be  carefully  designed  to  have  a significance  level  that  is  appropriate 
for  the  purpose  at  hand;  a significance  level  a between  0.001  and  0.05  might  be  employed 
in  practice. 

A statistical  test  is  implemented  by  specifying  a statistic  on  the  random  sample.5  Statis- 
tics are  generally  chosen  so  that  they  can  be  efficiently  computed,  and  so  that  they  (approxi- 
mately) follow  an  N(0, 1)  or  a x2  distribution  (see  §5.4. 1).  The  value  of  the  statistic  for  the 
sample  output  sequence  is  computed  and  compared  with  the  value  expected  for  a random 
sequence  as  described  below. 

1.  Suppose  that  a statistic  X for  a random  sequence  follows  a x2  distribution  with  v 
degrees  of  freedom,  and  suppose  that  the  statistic  can  be  expected  to  take  on  larger 
values  for  nonrandom  sequences.  To  achieve  a significance  level  of  a , a threshold 
value  xa  is  chosen  (using  Table  5.2)  so  that  P(X  > xa)  = a.  If  the  value  Xs  of  the 
statistic  for  the  sample  output  sequence  satisfies  Xs  > xa , then  the  sequence/af/s  the 
test;  otherwise,  it  passes  the  test.  Such  a test  is  called  a one-sided  test.  For  example, 
if  v = 5 and  a — 0.025,  then  xa  = 12.8325,  and  one  expects  a random  sequence  to 
fail  the  test  only  2.5%  of  the  time. 

2.  Suppose  that  a statistic  X for  a random  sequence  follows  an  2V (0, 1)  distribution,  and 
suppose  that  the  statistic  can  be  expected  to  take  on  both  larger  and  smaller  values  for 
nonrandom  sequences.  To  achieve  a significance  level  of  a,  a threshold  value  xa  is 
chosen  (using  Table  5.1)  so  that  P(X  > xa ) = P(X  < —xa)  = a/2.  If  the  value 

4Actually,  the  probability  /3  of  a Type  II  error  may  be  completely  independent  of  a.  If  the  generator  is  not  a 
random  bit  generator,  the  probability  0 depends  on  the  nature  of  the  defects  of  the  generator,  and  is  usually  difficult 
to  determine  in  practice.  For  this  reason,  assuming  that  the  probability  of  a Type  II  error  is  proportional  to  a is  a 
useful  intuitive  guide  when  selecting  an  appropriate  significance  level  for  a test. 

5A  statistic  is  a function  of  the  elements  of  a random  sample;  for  example,  the  number  of  0’s  in  a binary  se- 
quence is  a statistic. 
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Xs  of  the  statistic  for  the  sample  output  sequence  satisfies  Xs  > xc,  or  Xs  < —xct, 
then  the  sequence  fails  the  test;  otherwise,  it  passes  the  test.  Such  a test  is  called  a 
two-sided  test.  For  example,  if  a = 0.05,  then  xa  = 1.96,  and  one  expects  a random 
sequence  to  fail  the  test  only  5%  of  the  time. 


5.4.3  Golomb’s  randomness  postulates 

Golomb’s  randomness  postulates  (Definition  5.28)  are  presented  here  for  historical  reasons 
- they  were  one  of  the  first  attempts  to  establish  some  necessary  conditions  for  a periodic 
pseudorandom  sequence  to  look  random.  It  is  emphasized  that  these  conditions  are  far  from 
being  sufficient  for  such  sequences  to  be  considered  random.  Unless  otherwise  stated,  all 
sequences  are  binary  sequences. 

5.24  Definition  Let  s = So,  si,  S2,  ■ ■ ■ be  an  infinite  sequence.  The  subsequence  consisting  of 
the  first  n terms  of  s is  denoted  by  sn  = so,  si, . . . , sn_ i. 

5.25  Definition  The  sequence  s = so,  si,  S2,  ■ ■ . is  said  to  be  N -periodic  if  s*  = n for 
all  i > 0.  The  sequence  s is  periodic  if  it  is  TV-periodic  for  some  positive  integer  N.  The 
period  of  a periodic  sequence  s is  the  smallest  positive  integer  N for  which  s is  TV-periodic. 
If  s is  a periodic  sequence  of  period  TV,  then  the  cycle  of  s is  the  subsequence  sN . 

5.26  Definition  Let  s be  a sequence.  A run  of  s is  a subsequence  of  s consisting  of  consecutive 
0’s  or  consecutive  l’s  which  is  neither  preceded  nor  succeeded  by  the  same  symbol.  A run 
of  0’s  is  called  a gap,  while  a run  of  l’s  is  called  a block. 

5.27  Definition  Let  s = S0,SI,S2, ...  be  a periodic  sequence  of  period  TV.  The  autocorrela- 
tion function  of  s is  the  integer-valued  function  C(t ) defined  as 

1 N -1 

C(t)  = — Y,  (2 * - 1)  • (2 si+t  - 1),  for  0 < t < TV  - 1. 

i= 0 

The  autocorrelation  function  C(t ) measures  the  amount  of  similarity  between  the  se- 
quence s and  a shift  of  s by  t positions.  If  s is  a random  periodic  sequence  of  period  TV, 
then  |TV  • C(t ) | can  be  expected  to  be  quite  small  for  all  values  of  t,  0 < t < TV. 

5.28  Definition  Let  s be  a periodic  sequence  of  period  TV.  Golomb’s  randomness  postulates 
are  the  following. 

R1 : In  the  cycle  sN  of  s,  the  number  of  l’s  differs  from  the  number  of  0’s  by  at  most  1. 

R2:  In  the  cycle  sN , at  least  half  the  runs  have  length  1,  at  least  one-fourth  have  length 
2,  at  least  one-eighth  have  length  3,  etc.,  as  long  as  the  number  of  runs  so  indicated 
exceeds  1.  Moreover,  for  each  of  these  lengths,  there  are  (almost)  equally  many  gaps 
and  blocks.6 

R3:  The  autocorrelation  function  C(t)  is  two-valued.  That  is  for  some  integer  K , 

jv.cw  = f>Si-i).(2Si+,-i)  = { f 

i= o r ’ — — 

^Postulate  R2  implies  postulate  Rl. 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§5.4  Statistical  tests 


181 


5.29  Definition  A binary  sequence  which  satisfies  Golomb’s  randomness  postulates  is  called 
a pseudo-noise  sequence  or  a pn-sequence. 

Pseudo-noise  sequences  arise  in  practice  as  output  sequences  of  maximum-length  lin- 
ear feedback  shift  registers  (cf.  Fact  6.14). 

5.30  Example  ( pn-sequence ) Consider  the  periodic  sequence  s of  period  N = 15  with  cycle 

s15  = 0,1, 1,0, 0,1, 0,0, 0,1, 1,1, 1,0,1. 

The  following  shows  that  the  sequence  s satisfies  Golomb’s  randomness  postulates. 

Rl:  The  number  of  0’s  in  s15  is  7,  while  the  number  of  l’s  is  8. 

R2:  .s15  has  8 runs.  There  are  4 runs  of  length  1 (2  gaps  and  2 blocks),  2 runs  of  length  2 
(1  gap  and  1 block),  1 run  of  length  3 (1  gap),  and  1 run  of  length  4 (1  block). 

R3:  The  autocorrelation  function  C{t)  takes  on  two  values:  C(0)  = 1 and  C(t)  = ^5- 
for  1 < t < 14. 

Hence,  s is  a pn-sequence.  □ 


5.4.4  Five  basic  tests 


Let  s = sq,  si,  S2,  ■ ■ ■ , be  a binary  sequence  of  length  n.  This  subsection  presents 
five  statistical  tests  that  are  commonly  used  for  determining  whether  the  binary  sequence 
s possesses  some  specific  characteristics  that  a truly  random  sequence  would  be  likely  to 
exhibit.  It  is  emphasized  again  that  the  outcome  of  each  test  is  not  definite,  but  rather  prob- 
abilistic. If  a sequence  passes  all  five  tests,  there  is  no  guarantee  that  it  was  indeed  produced 
by  a random  bit  generator  (cf.  Example  5.4). 


(i)  Frequency  test  (monobit  test) 

The  purpose  of  this  test  is  to  determine  whether  the  number  of  0’s  and  l’s  in  s are  approxi- 
mately the  same,  as  would  be  expected  for  a random  sequence.  Let  no,  ni  denote  the  num- 
ber of  0’s  and  l’s  in  s,  respectively.  The  statistic  used  is 


X! 


(n0  - ni)2 
n 


(5.1) 


which  approximately  follows  a x2  distribution  with  1 degree  of  freedom  if  n > 10.  ' 


(ii)  Serial  test  (two-bit  test) 

The  purpose  of  this  test  is  to  determine  whether  the  number  of  occurrences  of  00,  01,  10, 
and  1 1 as  subsequences  of  s are  approximately  the  same,  as  would  be  expected  for  a random 
sequence.  Let  n o,  nj  denote  the  number  of  0’s  and  l’s  in  s,  respectively,  and  let  n-oo,  tiqi, 
nio.  Tin  denote  the  number  of  occurrences  of  00,  01,  10,  11  in  s,  respectively.  Note  that 
n oo  + noi  + nio  + nn  = (n  — 1)  since  the  subsequences  are  allowed  to  overlap.  The 
statistic  used  is 

X2  = -f-  (ng0  + nh  + n20  + n^)  - ^ (n§  + n2)  + 1 (5.2) 

which  approximately  follows  a x2  distribution  with  2 degrees  of  freedom  if  n > 21. 

7 In  practice,  it  is  recommended  that  the  length  n of  the  sample  output  sequence  be  much  larger  (for  example, 
n 10000)  than  the  minimum  specified  for  each  test  in  this  subsection. 
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(iii)  Poker  test 

Let  m be  a positive  integer  such  that  [_— j > 5- (2m),  and  let  k = [_— J.  Divide  the  sequence 
s into  k non-overlapping  parts  each  of  length  to,  and  let  n,  be  the  number  of  occurrences  of 
the  ith  type  of  sequence  of  length  to,  1 < i < 2'".  The  poker  test  determines  whether  the 
sequences  of  length  to  each  appear  approximately  the  same  number  of  times  in  s,  as  would 
be  expected  for  a random  sequence.  The  statistic  used  is 


*3  = 


(5.3) 


which  approximately  follows  a x2  distribution  with  2"'  — 1 degrees  of  freedom.  Note  that 
the  poker  test  is  a generalization  of  the  frequency  test:  setting  to  = 1 in  the  poker  test  yields 
the  frequency  test. 


(iv)  Runs  test 

The  purpose  of  the  runs  test  is  to  determine  whether  the  number  of  runs  (of  either  zeros  or 
ones;  see  Definition  5.26)  of  various  lengths  in  the  sequence  s is  as  expected  for  a random 
sequence.  The  expected  number  of  gaps  (or  blocks)  of  length  i in  a random  sequence  of 
length  n is  e,;  = (n— i+3)/2*+2.  Let  k be  equal  to  the  largest  integer*  for  which  e*  > 5.  Let 
Bj , G,  be  the  number  of  blocks  and  gaps,  respectively,  of  length  i in  s for  each  i,  1 < i < k. 
The  statistic  used  is 


X, 


E 


(Bj  - e,)2 
e* 


+ E 


(Gj  — ef)2 
ei 


(5.4) 


which  approximately  follows  a x2  distribution  with  2k  — 2 degrees  of  freedom. 


(v)  Autocorrelation  test 

The  purpose  of  this  test  is  to  check  for  correlations  between  the  sequence  s and  ( non-cyclic) 
shifted  versions  of  it.  Let  dbe  a fixed  integer,  1 < d < [n/2j  • The  number  of  bits  in  s not 
equal  to  their  d-shifts  is  A(d)  = Y^i=o  _1  si®Si+d,  where  © denotes  the  XOR  operator. 
The  statistic  used  is 

X5  = 2 (^(d)  - / W~d  (5.5) 

which  approximately  follows  an  N( 0, 1)  distribution  if  n — d > 10.  Since  small  values  of 
A(d)  are  as  unexpected  as  large  values  of  A(d),  a two-sided  test  should  be  used. 


5.31  Example  (basic  statistical  tests ) Consider  the  (non-random)  sequence  s of  length  n = 
160  obtained  by  replicating  the  following  sequence  four  times: 

11100  01100  01000  10100  11101  11100  10010  01001. 

(i)  (frequency  test)  n0  = 84,  ni  = 76,  and  the  value  of  the  statistic  X is  0.4. 

(ii)  (serial  test)  ?ioo  = 44,  n oi  = 40,  nio  = 40,  «n  = 35,  and  the  value  of  the  statistic 
X is  0.6252. 

(iii)  (poker  test)  Here  to  = 3 and  k = 53.  The  blocks  000,  001,  010,  Oil,  100,  101,  110, 
111  appear  5,  10,  6,  4,  12,  3,  6,  and  7 times,  respectively,  and  the  value  of  the  statistic 
X is  9.6415. 

(iv)  (runs  test)  Here  e-y  = 20.25,  e2  = 10.0625,  e3  = 5,  and  k = 3.  There  are  25,  4,  5 
blocks  of  lengths  1,  2,  3,  respectively,  and  8,  20,  12  gaps  of  lengths  1,  2,  3,  respec- 
tively. The  value  of  the  statistic  X is  31.7913. 
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(v)  ( autocorrelation  test)  If  d = 8,  then  A(8)  = 100.  The  value  of  the  statistic  X5  is 
3.8933. 

For  a significance  level  of  a = 0.05,  the  threshold  values  for  X±,  X->.  X3,  X4,  and  X5  are 
3.8415,  5.9915,  14.0671,  9.4877,  and  1.96,  respectively  (see  Tables  5.1  and  5.2).  Hence, 
the  given  sequence  s passes  the  frequency,  serial,  and  poker  tests,  but  fails  the  runs  and 
autocorrelation  tests.  □ 

5.32  Note  ( FIPS  140-1  statistical  tests  for  randomness)  FIPS  140-1  specifies  four  statistical 
tests  for  randomness.  Instead  of  making  the  user  select  appropriate  significance  levels  for 
these  tests,  explicit  bounds  are  provided  that  the  computed  value  of  a statistic  must  satisfy. 
A single  bitstring  s of  length  20000  bits,  output  from  a generator,  is  subjected  to  each  of  the 
following  tests.  If  any  of  the  tests  fail,  then  the  generator  fails  the  test. 

(i)  monobit  test.  The  number  ni  of  l’s  in  s should  satisfy  9654  < ni  < 10346. 

(ii)  poker  test.  The  statistic  X3  defined  by  equation  (5.3)  is  computed  for  m — 4.  The 
poker  test  is  passed  if  1.03  < X3  < 57.4. 

(iii)  runs  test.  The  number  13,  and  G,:  of  blocks  and  gaps,  respectively,  of  length  i in  s are 
counted  for  each  i,  1 < i < 6.  (For  the  purpose  of  this  test,  runs  of  length  greater 
than  6 are  considered  to  be  of  length  6.)  The  runs  test  is  passed  if  the  12  counts  B, , 
Gi,  1 < % < 6,  are  each  within  the  corresponding  interval  specified  by  the  following 
table. 


Length  of  run 

Required  interval 

1 

2267  - 2733 

2 

1079  - 1421 

3 

502  - 748 

4 

223  - 402 

5 

90  - 223 

6 

90  - 223 

(iv)  long  run  test.  The  long  run  test  is  passed  if  there  are  no  runs  of  length  34  or  more. 
For  high  security  applications,  FIPS  140-1  mandates  that  the  four  tests  be  performed  each 
time  the  random  bit  generator  is  powered  up.  FIPS  140- 1 allows  these  tests  to  be  substituted 
by  alternative  tests  which  provide  equivalent  or  superior  randomness  checking. 


5.4.5  Maurer’s  universal  statistical  test 

The  basic  idea  behind  Maurer’s  universal  statistical  test  is  that  it  should  not  be  possible  to 
significantly  compress  (without  loss  of  information)  the  output  sequence  of  a random  bit 
generator.  Thus,  if  a sample  output  sequence  s of  a bit  generator  can  be  significantly  com- 
pressed, the  generator  should  be  rejected  as  being  defective.  Instead  of  actually  compress- 
ing the  sequence  s,  the  universal  statistical  test  computes  a quantity  that  is  related  to  the 
length  of  the  compressed  sequence. 

The  universality  of  Maurer’s  universal  statistical  test  arises  because  it  is  able  to  detect 
any  one  of  a very  general  class  of  possible  defects  a bit  generator  might  have.  This  class 
includes  the  five  defects  that  are  detectable  by  the  basic  tests  of  §5.4.4.  A drawback  of  the 
universal  statistical  test  over  the  five  basic  tests  is  that  it  requires  a much  longer  sample 
output  sequence  in  order  to  be  effective.  Provided  that  the  required  output  sequence  can  be 
efficiently  generated,  this  drawback  is  not  a practical  concern  since  the  universal  statistical 
test  itself  is  very  efficient. 

Algorithm  5.33  computes  the  statistic  Xu  for  a sample  output  sequence  s = sq  , si , . . . , 
s?j_i  to  be  used  in  the  universal  statistical  test.  The  parameter  L is  first  chosen  from  the 
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L 

P 

1 

0.7326495 

0.690 

2 

1.5374383 

1.338 

3 

2.4016068 

1.901 

4 

3.3112247 

2.358 

5 

4.2534266 

2.705 

6 

5.2177052 

2.954 

7 

6.1962507 

3.125 

8 

7.1836656 

3.238 

L 

P 

9 

8.1764248 

3.311 

10 

9.1723243 

3.356 

11 

10.170032 

3.384 

12 

11.168765 

3.401 

13 

12.168070 

3.410 

14 

13.167693 

3.416 

15 

14.167488 

3.419 

16 

15.167379 

3.421 

Table  5.3:  Mean  p,  and  variance  a2  of  the  statistic  Xufor  random  sequences,  with  parameters  L, 
K as  Q — » oo.  The  variance  of  Xu  is  a2  = c(L,  K)2  ■ cr2/K,  where  c(L,  K)  ~ 0.7  — (0.8/L)  + 
(1.6  + (12. 8/L))  ■ A'-4/l  for  K > 2L . 


interval  [6, 16].  The  sequence  s is  then  partitioned  into  non-overlapping  T-bit  blocks,  with 
any  leftover  bits  discarded;  the  total  number  of  blocks  is  Q + K.  where  Q and  K are  defined 
below.  For  each*,  1 < i < Q + K , let  b,  be  the  integer  whose  binary  representation  is  the  z'th 
block.  The  blocks  are  scanned  in  order.  A table  T is  maintained  so  that  at  each  stage  T\j]  is 
the  position  of  the  last  occurrence  of  the  block  corresponding  to  integer  j,  0 < j < 2L  - 1. 
The  first  Q blocks  of  s are  used  to  initialize  table  T;  Q should  be  chosen  to  be  at  least  10-  2L 
in  order  to  have  a high  likelihood  that  each  of  the  2L  L- bit  blocks  occurs  at  least  once  in 
the  first  Q blocks.  The  remaining  I\  blocks  are  used  to  define  the  statistic  Xu  as  follows. 
For  each  i,  Q + 1 < i < Q + K,  let  A,  = i — T\bj\\  A;  is  the  number  of  positions  since 
the  last  occurrence  of  block  bt . Then 

. Q+k 

Xu  = K l%Ai-  (5-6) 

i=Q-\- 1 

K should  be  at  least  1000  ■ 2L  (and,  hence,  the  sample  sequence  s should  be  at  least  (1010  ■ 
2l  ■ L)  bits  in  length).  Table  5.3  lists  the  mean  ft  and  variance  a2  of  Xu  for  random  se- 
quences for  some  sample  choices  of  L as  Q — > oo. 


5.33  Algorithm  Computing  the  statistic  X,,  for  Maurer's  universal  statistical  test 

INPUT;  a binary  sequence  s = so,  «i,  ■ ■ ■ , sn  i of  length  n,  and  parameters  L,  Q,  K. 
OUTPUT:  the  value  of  the  statistic  Xu  for  the  sequence  s. 

1.  Zero  the  table  T.  For  j from  0 to  2L  — 1 do  the  following:  T\j\+- 0. 

2.  Initialize  the  table  T.  For  i from  1 to  Q do  the  following:  i. 

3.  sum<s—  0. 

4.  For  i from  O ■ 1 to  Q -+  K do  the  following: 

4.1  sum-*—  sum  + lg(i  — T[bj]). 

4.2  T[bi\<^i. 

5.  Xu<—  sum/A'. 

6.  Return(Xu). 


Maurer’s  universal  statistical  test  uses  the  computed  value  of  Xu  for  the  sample  output 
sequence  s in  the  manner  prescribed  by  Fact  5.34.  To  test  the  sequence  s,  a two-sided  test 
should  be  used  with  a significance  level  a between  0.001  and  0.01  (see  §5.4.2). 
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5.34  Fact  Let  Xu  be  the  statistic  defined  in  (5.6)  having  mean  p and  variance  a2  as  given  in 
Table  5.3.  Then,  for  random  sequences,  the  statistic  Zu  = (Xu  — p)/o  approximately 
follows  an  N( 0, 1)  distribution. 


5.5  Cryptographically  secure  pseudorandom  bit 
generation 

Two  cryptographically  secure  pseudorandom  bit  generators  (CSPRBG  - see  Definition  5.8) 
are  presented  in  this  section.  The  security  of  each  generator  relies  on  the  presumed  in- 
tractability of  an  underlying  number-theoretic  problem.  The  modular  multiplications  that 
these  generators  use  make  them  relatively  slow  compared  to  the  (ad-hoc)  pseudorandom 
bit  generators  of  §5.3.  Nevertheless  they  may  be  useful  in  some  circumstances,  for  exam- 
ple, generating  pseudorandom  bits  on  hardware  devices  which  already  have  the  circuitry  for 
performing  modular  multiplications.  Efficient  techniques  for  implementing  modular  mul- 
tiplication are  presented  in  §14.3. 


5.5.1  RSA  pseudorandom  bit  generator 

The  RSA  pseudorandom  bit  generator  is  a CSPRBG  under  the  assumption  that  the  RSA 
problem  is  intractable  (§3.3;  see  also  §3.9.2). 


5.35  Algorithm  RSA  pseudorandom  bit  generator 

SUMMARY:  a pseudorandom  bit  sequence  z±,  z-2,  ■ ■ ■ ,zi  of  length  l is  generated. 

1 . Setup.  Generate  two  secret  RSA-like  primes  p and  q (cf.  Note  8.8),  and  compute  n = 
pq  and  <f>  = (p  — l)(q  — 1).  Select  a random  integer  e,  1 < e < such  that 

gcd(e,  <j>)  = 1. 

2.  Select  a random  integer  xo  (the  seed)  in  the  interval  [1,  n — 1]. 

3.  For  i from  1 to  / do  the  following: 

3.1  Xi<r- xf_j  mod  n. 

3.2  the  least  significant  bit  of  x,> 

4.  The  output  sequence  is  z\,  Z2,  ■ ■ ■ , zi. 


5.36  Note  ( efficiency  of  the  RSA  PRBG ) If  e = 3 is  chosen  (cf.  Note  8.9(ii)),  then  generating 
each  pseudorandom  bit  z,  requires  one  modular  multiplication  and  one  modular  squaring. 
The  efficiency  of  the  generator  can  be  improved  by  extracting  the  j least  significant  bits 
of  Xj  in  step  3.2,  where  j = c lg  lg  n and  c is  a constant.  Provided  that  n is  sufficiently 
large,  this  modified  generator  is  also  cryptographically  secure  (cf.  Fact  3.87).  For  a mod- 
ulus n of  a fixed  bitlength  (e.g.,  1024  bits),  an  explicit  range  of  values  of  c for  which  the 
resulting  generator  remains  cryptographically  secure  (cf.  Remark  5.9)  under  the  intractabil- 
ity assumption  of  the  RSA  problem  has  not  been  determined. 

The  following  modification  improves  the  efficiency  of  the  RSA  PRBG. 
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5.37  Algorithm  Micali-Schnorr  pseudorandom  bit  generator 
SUMMARY:  a pseudorandom  bit  sequence  is  generated. 

1 . Setup.  Generate  two  secret  RSA-like  primes  p and  q (cf.  Note  8.8),  and  compute  n = 
pq  and  <f>  = (p  — l)(q  — 1).  Let  N = [_lg  n\  + 1 ( the  bitlength  of  n).  Select  an  integer 
e,  1 < e < 4>,  such  that  gcd(e,  <f>)  = 1 and  80e  < N.  Let  k = |_JV(1  — |)J  and 
r = N — k. 

2.  Select  a random  sequence  xq  (the  seed ) of  bitlength  r. 

3.  Generate  a pseudorandom  sequence  of  length  k-l.  For  i from  1 to  l do  the  following: 

3.1  yi<—x?_1  mod  n. 

3.2  Xi<—  the  r most  significant  bits  of  p.j. 

3.3  Zi<—  the  k least  significant  bits  of  jp. 

4.  The  output  sequence  is  z\  || [j  ■ ■ ■ ||  % where  |j  denotes  concatenation. 


5.38  Note  ( efficiency  of  the  Micali-Schnorr  PRBG)  Algorithm  5.37  is  more  efficient  than  the 
RSA  PRBG  since  [iY(l  — |)J  bits  are  generated  per  exponentiation  by  e.  For  example, 
if  e = 3 and  N = 1024,  then  k = 341  bits  are  generated  per  exponentiation.  Moreover, 
each  exponentiation  requires  only  one  modular  squaring  of  an  r = 683-bit  number,  and  one 
modular  multiplication. 

5.39  Note  (security  of  the  Micali-Schnorr  PRBG)  Algorithm  5 .37  is  cryptographically  secure 
under  the  assumption  that  the  following  is  true:  the  distribution  xe  mod  n for  random  r-bit 
sequences  x is  indistinguishable  by  all  polynomial-time  statistical  tests  from  the  uniform 
distribution  of  integers  in  the  interval  [0,  n — 1].  This  assumption  is  stronger  than  requiring 
that  the  RSA  problem  be  intractable. 


5.5.2  Blum-Blum-Shub  pseudorandom  bit  generator 

The  Blum-Blum-Shub  pseudorandom  bit  generator  (also  known  as  the  x2  mod  n genera- 
tor or  the  BBS  generator)  is  a CSPRBG  under  the  assumption  that  integer  factorization  is 
intractable  (§3.2).  It  forms  the  basis  for  the  Blum-Goldwasser  probabilistic  public-key  en- 
cryption scheme  (Algorithm  8.56). 


5.40  Algorithm  Blum-Blum-Shub  pseudorandom  bit  generator 

SUMMARY:  a pseudorandom  bit  sequence  z\ , z-i , . . . , z/  of  length  l is  generated. 

1 . Setup.  Generate  two  large  secret  random  (and  distinct)  primes  p and  q (cf.  Note  8.8), 
each  congruent  to  3 modulo  4,  and  compute  n = pq. 

2.  Select  a random  integer  s (the  seed)  in  the  interval  [1  ,n  — 1]  such  that  gcd(s,  n)  = 1, 
and  compute  xq  s2  mod  n. 

3.  For  i from  I to  / do  the  following: 

3.1  Xi<r- x2i_l  mod  n. 

3.2  Zi<—  the  least  significant  bit  of  Xi . 

4.  The  output  sequence  is  z\,  z^.,  • . , zi. 
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5.41  Note  ( efficiency  of  the  Blum-Blum-Shub  PRBG ) Generating  each  pseudorandom  bit  z,  re- 
quires one  modular  squaring.  The  efficiency  of  the  generator  can  be  improved  by  extracting 
the  j least  significant  bits  of  x,  in  step  3.2,  where  j = c lg  lg  n and  c is  a constant.  Provided 
that  n is  sufficiently  large,  this  modified  generator  is  also  cryptographically  secure.  For  a 
modulus  n of  a fixed  bitlength  (eg.  1024  bits),  an  explicit  range  of  values  of  c for  which 
the  resulting  generator  is  cryptographically  secure  (cf.  Remark  5.9)  under  the  intractability 
assumption  of  the  integer  factorization  problem  has  not  been  determined. 


5.6  Notes  and  further  references 

§5.1 

Chapter  3 of  Knuth  [692]  is  the  definitive  reference  for  the  classic  (non-cryptographic)  gen- 
eration of  pseudorandom  numbers.  Knuth  [692,  pp.  142-166]  contains  an  extensive  discus- 
sion of  what  it  means  for  a sequence  to  be  random.  Lagarias  [724]  gives  a survey  of  theo- 
retical results  on  pseudorandom  number  generators.  Luby  [774]  provides  a comprehensive 
and  rigorous  overview  of  pseudorandom  generators. 

For  a study  of  linear  congruential  generators  (Example  5.4),  see  Knuth  [692,  pp.9-25], 
Plumstead/Boyar  [979,  980]  showed  how  to  predict  the  output  of  a linear  congruential  gen- 
erator given  only  a few  elements  of  the  output  sequence,  and  when  the  parameters  a,  6, 
and  to  of  the  generator  are  unknown.  Boyar  [180]  extended  her  method  and  showed  that 
linear  multivariate  congruential  generators  (having  recurrence  equation  xn  = aixn-i  + 
02*71-2  + • — (-  aixn-i  + b mod  to),  and  quadratic  congruential  generators  (having  recur- 
rence equation  xn  = ax^l_1  + bxn- 1 + c mod  to)  are  cryptographically  insecure.  Finally, 
Krawczyk  [713]  generalized  these  results  and  showed  how  the  output  of  any  multivariate 
polynomial  congruential  generator  can  be  efficiently  predicted.  A truncated  linear  congru- 
ential generator  is  one  where  a fraction  of  the  least  significant  bits  of  the  x,;  are  discarded. 
Frieze  et  al.  [427]  showed  that  these  generators  can  be  efficiently  predicted  if  the  genera- 
tor parameters  a,  b , and  to  are  known.  Stern  [1173]  extended  this  method  to  the  case  where 
only  mis  known.  Boyar  [179]  presented  an  efficient  algorithm  for  predicting  linear  congru- 
ential generators  when  0(log  log  to)  bits  are  discarded,  and  when  the  parameters  a,  b,  and 
to  are  unknown.  No  efficient  prediction  algorithms  are  known  for  truncated  multivariate 
polynomial  congruential  generators.  For  a summary  of  cryptanalytic  attacks  on  congruen- 
tial generators,  see  Brickell  and  Odlyzko  [209,  pp. 523-526]. 

For  a formal  definition  of  a statistical  test  (Definition  5.5),  see  Yao  [1258],  Fact  5.7  on 
the  universality  of  the  next-bit  test  is  due  to  Yao  [1258],  For  a proof  of  Yao’s  result,  see 
Kranakis  [710]  and  §12.2  of  Stinson  [1178].  A proof  of  a generalization  of  Yao’s  result 
is  given  by  Goldreich,  Goldwasser,  and  Micali  [468].  The  notion  of  a cryptographically 
secure  pseudorandom  bit  generator  (Definition  5.8)  was  introduced  by  Blum  and  Micali 
[166].  Blum  and  Micali  also  gave  a formal  description  of  the  next-bit  test  (Definition  5.6), 
and  presented  the  first  cryptographically  secure  pseudorandom  bit  generator  whose  security 
is  based  on  the  discrete  logarithm  problem  (see  page  189).  Universal  tests  were  presented 
by  Schrift  and  Shamir  [1103]  for  verifying  the  assumed  properties  of  a pseudorandom  gen- 
erator whose  output  sequences  are  not  necessarily  uniformly  distributed. 

The  first  provably  secure  pseudorandom  number  generator  was  proposed  by  Shamir  [1112], 
Shamir  proved  that  predicting  the  next  number  of  an  output  sequence  of  this  generator  is 
equivalent  to  inverting  the  RSA  function.  Flowever,  even  though  the  numbers  as  a whole 
may  be  unpredictable,  certain  parts  of  the  number  ( for  example,  its  least  significant  bit)  may 
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be  biased  or  predictable.  Hence,  Shamir’s  generator  is  not  cryptographically  secure  in  the 
sense  of  Definition  5.8. 

Agnew  [17]  proposed  a VLSI  implementation  of  a random  bit  generator  consisting  of  two 
identical  metal  insulator  semiconductor  capacitors  close  to  each  other.  The  cells  are  charged 
over  the  same  period  of  time,  and  then  a 1 or  0 is  assigned  depending  on  which  cell  has 
a greater  charge.  Fairfield,  Mortenson,  and  Coulthart  [382]  described  an  LSI  random  bit 
generator  based  on  the  frequency  instability  of  a free  running  oscillator.  Davis,  Ihaka,  and 
Fenstermacher  [309]  used  the  unpredictability  of  air  turbulence  occurring  in  a sealed  disk 
drive  as  a random  bit  generator.  The  bits  are  extracted  by  measuring  the  variations  in  the 
time  to  access  disk  blocks.  Fast  Fourier  Transform  (FFT)  techniques  are  then  used  to  re- 
move possible  biases  and  correlations.  A sample  implementation  generated  100  random 
bits  per  minute.  For  further  guidance  on  hardware  and  software -based  techniques  for  gen- 
erating random  bits,  see  RFC  1750  [1043]. 

The  de-skewing  technique  of  Example  5.10  is  due  to  von  Neumann  [1223].  Elias  [370] 
generalized  von  Neumann’s  technique  to  a more  efficient  scheme  (one  where  fewer  bits 
are  discarded ).  Fast  Fourier  Transform  techniques  for  removing  biases  and  correlations  are 
described  by  Brillinger  [213],  For  further  ways  of  removing  correlations,  see  Blum  [161], 
Santha  and  Vazirani  [1091],  Vazirani  [1217],  and  Chor  and  Goldreich  [258], 

The  idea  of  using  a one-way  function  / for  generating  pseudorandom  bit  sequences  is  due  to 
Shamir  [1112].  Shamir  illustrated  why  it  is  difficult  to  prove  that  such  ad-hoc  generators  are 
cryptographically  secure  without  imposing  some  further  assumptions  on  /.  Algorithm  5. 1 1 
is  from  Appendix  C of  the  ANSI  X9. 17  standard  [37];  it  is  one  of  the  approved  methods  for 
pseudorandom  bit  generation  listed  in  FIPS  186  [406].  Meyer  and  Matyas  [859,  pp.316- 
317]  describe  another  DES-based  pseudorandom  bit  generator  whose  output  is  intended  for 
use  as  data-encrypting  keys.  The  four  algorithms  of  §5.3.2  for  generating  DSA  parameters 
are  from  FIPS  186. 

Standard  references  on  statistics  include  Hogg  and  Tanis  [559]  and  Wackerly,  Mendenhall, 
and  Scheaffer  [1226].  Tables  5.1  and  5.2  were  generated  using  the  Maple  symbolic  algebra 
system  [240].  Golomb’s  randomness  postulates  (§5.4.3)  were  proposed  by  Golomb  [498]. 

The  five  statistical  tests  for  local  randomness  outlined  in  §5.4.4  are  from  Beker  and  Piper 
[84],  The  serial  test  (§5.4.4(ii))  is  due  to  Good  [508].  It  was  generalized  to  subsequences  of 
length  greater  than  2 by  Marsaglia  [782]  who  called  it  the  overlapping  m-tuple  test , and  later 
by  Kimberley  [674]  who  called  it  the  generalized  serial  test.  The  underlying  distribution 
theories  of  the  serial  test  and  the  runs  test  (§5.4.4(iv))  were  analyzed  by  Good  [507]  and 
Mood  [897],  respectively.  Gustafson  [531]  considered  alternative  statistics  for  the  runs  test 
and  the  autocorrelation  test  (§5.4.4(v)). 

There  are  numerous  other  statistical  tests  of  local  randomness.  Many  of  these  tests,  includ- 
ing the  gap  test,  coupon  collector’s  test,  permutation  test,  run  test,  maximum-of-t  test,  col- 
lision test,  serial  test,  correlation  test,  and  spectral  test  are  described  by  Knuth  [692].  The 
poker  test  as  formulated  by  Knuth  [692,  p.62]  is  quite  different  from  that  of  §5.4.4(iii).  In 
the  former,  a sample  sequence  is  divided  into  m-bit  blocks,  each  of  which  is  further  subdi- 
vided into  (-bit  sub-blocks  (for  some  divisor  l of  m).  The  number  of  m-bit  blocks  having  r 
distinct  Z-bit  sub-blocks  (1  < r < m/l ) is  counted  and  compared  to  the  corresponding  ex- 
pected numbers  for  random  sequences.  Erdmann  [372]  gives  a detailed  exposition  of  many 
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of  these  tests,  and  applies  them  to  sample  output  sequences  of  six  pseudorandom  bit  gener- 
ators. Gustafson  et  al.  [533]  describe  a computer  package  which  implements  various  statis- 
tical tests  for  assessing  the  strength  of  a pseudorandom  bit  generator.  Gustafson,  Dawson, 
and  Golic  [532]  proposed  a new  repetition  test  which  measures  the  number  of  repetitions  of 
Z-bit  blocks.  The  test  requires  a count  of  the  number  of  patterns  repeated,  but  does  not  re- 
quire the  frequency  of  each  pattern.  For  this  reason,  it  is  feasible  to  apply  this  test  for  larger 
values  of  l (e.g.  I = 64)  than  would  be  permissible  by  the  poker  test  or  Maurer’s  universal 
statistical  test  (Algorithm  5.33).  Two  spectral  tests  have  been  developed,  one  based  on  the 
discrete  Fourier  transform  by  Gait  [437],  and  one  based  on  the  Walsh  transform  by  Yuen 
[1260].  For  extensions  of  these  spectral  tests,  see  Erdmann  [372]  and  Feldman  [389], 

FIPS  140-1  [401]  specifies  security  requirements  for  the  design  and  implementation  of 
cryptographic  modules,  including  random  and  pseudorandom  bit  generators,  for  protecting 
(U.S.  government)  unclassified  information. 

The  universal  statistical  test  (Algorithm  5.33)  is  due  to  Maurer  [813]  and  was  motivated  by 
source  coding  algorithms  of  Elias  [371]  and  Willems  [1245].  The  class  of  defects  that  the 
test  is  able  to  detect  consists  of  those  that  can  be  modeled  by  an  ergodic  stationary  source 
with  limited  memory;  Maurer  argues  that  this  class  includes  the  possible  defects  that  could 
occur  in  a practical  implementation  of  a random  bit  generator.  Table  5.3  is  due  to  Maurer 
[813],  who  provides  derivations  of  formulae  for  the  mean  and  variance  of  the  statistic  Xu . 

Blum  and  Micali  [166]  presented  the  following  general  construction  for  CSPRBGs.  Let  D 
be  a finite  set,  and  let  / : D — * D be  a permutation  that  can  be  efficiently  computed.  Let 
B : D — > {0, 1}  be  a Boolean  predicate  with  the  property  that  B(x)  is  hard  to  compute 
given  only  x € D,  however,  B{x)  can  be  efficiently  computed  given  y = The 

output  sequence  zi,  Z2, ■ ■ ■ ,zi  corresponding  to  a seed  xo  £ D is  obtained  by  computing 
x-i  = /(xj-i),  z-i  = B(x-i),  for  1 < i < I.  This  generator  can  be  shown  to  pass  the 
next-bit  test  (Definition  5.6).  Blum  and  Micali  [166]  proposed  the  first  concrete  instance  of 
a CSPRBG,  called  the  Blum-Micali  generator.  Using  the  notation  introduced  above,  their 
method  can  be  described  as  follows.  Let  p be  a large  prime,  and  a a generator  of  Z*.  Define 
D = Z*  = {1,2,...  , p — 1}.  The  function  / : D — > D is  defined  by  f(x)  = ax  mod  p. 
The  function  B : D — > {0, 1}  is  defined  by  B(x)  = 1 if  0 < loga  x < (p  — l)/2,  and 
B{x)  = 0iflogax  > (p— 1)/2.  Assuming  the  intractability  of  the  discrete  logarithm  prob- 
lem in  Z*  (§3.6;  see  also  §3.9.1),  the  Blum-Micali  generator  was  proven  to  satisfy  the  next- 
bit  test.  Long  and  Wigderson  [772]  improved  the  efficiency  of  the  Blum-Micali  generator 
by  simultaneously  extracting  O(lglgp)  bits  (cf.  §3.9.1)  from  each  x, . Kaliski  [650,  651] 
modified  the  Blum-Micali  generator  so  that  the  security  depends  on  the  discrete  logarithm 
problem  in  the  group  of  points  on  an  elliptic  curve  defined  over  a finite  field. 

The  RSA  pseudorandom  bit  generator  (Algorithm  5.35)  and  the  improvement  mentioned 
in  Note  5.36  are  due  to  Alexi  et  al.  [23].  The  Micali-Schnorr  improvement  of  the  RSA 
PRBG  (Algorithm  5.37)  is  due  to  Micali  and  Schnorr  [867],  who  also  described  a method 
that  transforms  any  CSPRBG  into  one  that  can  be  accelerated  by  parallel  evaluation.  The 
method  of  parallelization  is  perfect,  m parallel  processors  speed  the  generation  of  pseudo- 
random bits  by  a factor  of  to. 

Algorithm  5.40  is  due  to  Blum,  Blum,  and  Shub  [160],  who  showed  that  their  pseudoran- 
dom bit  generator  is  cryptographically  secure  assuming  the  intractability  of  the  quadratic 
residuosity  problem  (§3.4).  Vazirani  and  Vazirani  [1218]  established  a stronger  result  re- 
garding the  security  of  this  generator  by  proving  it  cryptographically  secure  under  the 
weaker  assumption  that  integer  factorization  is  intractable.  The  improvement  mentioned  in 
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Note  5.41  is  due  to  Vazirani  and  Vazirani.  Alexi  et  al.  [23]  proved  analogous  results  for  the 
modified-Rcibin  generator,  which  differs  as  follows  from  the  Blum-Blum-Shub  generator: 
in  step  3.1  of  Algorithm  5.40,  let  x = x\_1  mod  n;  if  x < n/2,  then  Xi  = x\  otherwise, 

Xj  = n — x. 

Impagliazzo  and  Naor  [569]  devised  efficient  constructions  for  a CSPRBG  and  for  a univer- 
sal one-way  hash  function  which  are  provably  as  secure  as  the  subset  sum  problem.  Fischer 
and  Stern  [411]  presented  a simple  and  efficient  CSPRBG  which  is  provably  as  secure  as 
the  syndrome  decoding  problem. 

Yao  [1258]  showed  how  to  obtain  a CSPRBG  using  any  one-way  permutation.  Levin  [761] 
generalized  this  result  and  showed  how  to  obtain  a CSPRBG  using  any  one-way  function. 
For  further  refinements,  see  Goldreich,  Krawczyk,  and  Luby  [470],  Impagliazzo,  Levin, 
and  Luby  [568],  and  Hastad  [545]. 

A random  function  f : {0, 1}"  — * {0, 1}”  is  a function  which  assigns  independent  and  ran- 
dom values  f(x)  6 {0, 1}"  to  all  arguments  x € {0, 1}".  Goldreich,  Goldwasser,  and 
Micali  [468]  introduced  a computational  complexity  measure  of  the  randomness  of  func- 
tions. They  defined  a function  to  be  poly-random  if  no  polynomial-time  algorithm  can  dis- 
tinguish between  values  of  the  function  and  true  random  strings,  even  when  the  algorithm 
is  permitted  to  select  the  arguments  to  the  function.  Goldreich,  Goldwasser,  and  Micali 
presented  an  algorithm  for  constructing  poly-random  functions  assuming  the  existence  of 
one-way  functions.  This  theory  was  applied  by  Goldreich,  Goldwasser,  and  Micali  [467] 
to  develop  provably  secure  protocols  for  the  (essentially)  storageless  distribution  of  secret 
identification  numbers,  message  authentication  with  timestamping,  dynamic  hashing,  and 
identify  friend  or  foe  systems.  Luby  and  Rackoff  [776]  showed  how  poly-random  permu- 
tations can  be  efficiently  constructed  from  poly-random  functions.  This  result  was  used, 
together  with  some  of  the  design  principles  of  DES,  to  show  how  any  CSPRBG  can  be 
used  to  construct  a symmetric-key  block  cipher  which  is  provably  secure  against  chosen- 
plaintext  attack.  A simplified  and  generalized  treatment  of  Luby  and  Rackoff's  construction 
was  given  by  Maurer  [816], 

Schnorr  [1096]  used  Luby  and  Rackoff's  poly-random  permutation  generator  to  construct 
a pseudorandom  bit  generator  that  was  claimed  to  pass  all  statistical  tests  depending  only 
on  a small  fraction  of  the  output  sequence,  even  when  infinite  computational  resources  are 
available.  Rueppel  [1079]  showed  that  this  claim  is  erroneous,  and  demonstrated  that  the 
generator  can  be  distinguished  from  a truly  random  bit  generator  using  only  a small  num- 
ber of  output  bits.  Maurer  and  Massey  [821]  extended  Schnorr’s  work,  and  proved  the  ex- 
istence of  pseudorandom  bit  generators  that  pass  all  statistical  tests  depending  only  on  a 
small  fraction  of  the  output  sequence,  even  when  infinite  computational  resources  are  avail- 
able. The  security  of  the  generators  does  not  rely  on  any  unproved  hypothesis,  but  rather 
on  the  assumption  that  the  adversary  can  access  only  a limited  number  of  bits  of  the  gener- 
ated sequence.  This  work  is  primarily  of  theoretical  interest  since  no  such  polynomial-time 
generators  are  known. 
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6.1  Introduction 

Stream  ciphers  are  an  important  class  of  encryption  algorithms.  They  encrypt  individual 
characters  (usually  binary  digits)  of  a plaintext  message  one  at  a time,  using  an  encryp- 
tion transformation  which  varies  with  time.  By  contrast,  block  ciphers  (Chapter  7)  tend  to 
simultaneously  encrypt  groups  of  characters  of  a plaintext  message  using  a fixed  encryp- 
tion transformation.  Stream  ciphers  are  generally  faster  than  block  ciphers  in  hardware, 
and  have  less  complex  hardware  circuitry.  They  are  also  more  appropriate,  and  in  some 
cases  mandatory  (e.g.,  in  some  telecommunications  applications),  when  buffering  is  lim- 
ited or  when  characters  must  be  individually  processed  as  they  are  received.  Because  they 
have  limited  or  no  error  propagation,  stream  ciphers  may  also  be  advantageous  in  situations 
where  transmission  errors  are  highly  probable. 

There  is  a vast  body  of  theoretical  knowledge  on  stream  ciphers,  and  various  design 
principles  for  stream  ciphers  have  been  proposed  and  extensively  analyzed.  However,  there 
are  relatively  few  fully-specified  stream  cipher  algorithms  in  the  open  literature.  This  un- 
fortunate state  of  affairs  can  partially  be  explained  by  the  fact  that  most  stream  ciphers  used 
in  practice  tend  to  be  proprietary  and  confidential.  By  contrast,  numerous  concrete  block 
cipher  proposals  have  been  published,  some  of  which  have  been  standardized  or  placed  in 
the  public  domain.  Nevertheless,  because  of  their  significant  advantages,  stream  ciphers  are 
widely  used  today,  and  one  can  expect  increasingly  more  concrete  proposals  in  the  coming 
years. 


Chapter  outline 

The  remainder  of  §6. 1 introduces  basic  concepts  relevant  to  stream  ciphers.  Feedback  shift 
registers,  in  particular  linear  feedback  shift  registers  (LFSRs),  are  the  basic  building  block 
in  most  stream  ciphers  that  have  been  proposed;  they  are  studied  in  §6.2.  Three  general  tech- 
niques for  utilizing  LFSRs  in  the  construction  of  stream  ciphers  are  presented  in  §6.3;  using 
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a nonlinear  combining  function  on  the  outputs  of  several  LFSRs  (§6.3.1),  using  a nonlin- 
ear filtering  function  on  the  contents  of  a single  LFSR  (§6.3.2),  and  using  the  output  of  one 
(or  more)  LFSRs  to  control  the  clock  of  one  (or  more)  other  LFSRs  (§6.3.3).  Two  concrete 
proposals  for  clock-controlled  generators,  the  alternating  step  generator  and  the  shrinking 
generator  are  presented  in  §6.3.3.  §6.4  presents  a stream  cipher  not  based  on  LFSRs,  namely 
SEAL.  §6.5  concludes  with  references  and  further  chapter  notes. 


6.1.1  Classification 

Stream  ciphers  can  be  either  symmetric-key  or  public-key.  The  focus  of  this  chapter  is 
symmetric-key  stream  ciphers;  the  Blum-Goldwasser  probabilistic  public-key  encryption 
scheme  (§8.7.2)  is  an  example  of  a public-key  stream  cipher. 

6.1  Note  ( block  vs.  stream  ciphers)  Block  ciphers  process  plaintext  in  relatively  large  blocks 
(e.g.,  n > 64  bits).  The  same  function  is  used  to  encrypt  successive  blocks;  thus  (pure) 
block  ciphers  are  memoryless.  In  contrast,  stream  ciphers  process  plaintext  in  blocks  as 
small  as  a single  bit,  and  the  encryption  function  may  vary  as  plaintext  is  processed;  thus 
stream  ciphers  are  said  to  have  memory.  They  are  sometimes  called  state  ciphers  since 
encryption  depends  on  not  only  the  key  and  plaintext,  but  also  on  the  current  state.  This 
distinction  between  block  and  stream  ciphers  is  not  definitive  (see  Remark  7.25);  adding  a 
small  amount  of  memory  to  a block  cipher  (as  in  the  CBC  mode)  results  in  a stream  cipher 
with  large  blocks. 

(i)  The  one-time  pad 

Recall  (Definition  1.39)  that  a Vernam  cipher  over  the  binary  alphabet  is  defined  by 

Cj  = mj&kj  for  i = 1,  2, 3 . . . , 

where  mi, m2, m3, ...  are  the  plaintext  digits,  ki,  £3, . . . (the  key  stream)  are  the  key 
digits,  ci , C2 , C3 , . . . are  the  ciphertext  digits,  and  0 is  the  XOR  function  (bitwise  addition 
modulo  2).  Decryption  is  defined  by  m,  = c,0/t’,  . If  the  keystream  digits  are  generated 
independently  and  randomly,  the  Vemam  cipher  is  called  a one-time  pad,  and  is  uncondi- 
tionally secure  (§1.13.3(i))  against  a ciphertext-only  attack.  More  precisely,  if  M,  C,  and 
K are  random  variables  respectively  denoting  the  plaintext,  ciphertext,  and  secret  key,  and 
if  H()  denotes  the  entropy  function  (Definition  2.39),  then  H(M\C)  = H(M).  Equiva- 
lently, J(M;  C)  = 0 (see  Definition  2.45):  the  ciphertext  contributes  no  information  about 
the  plaintext. 

Shannon  proved  that  a necessary  condition  for  a symmetric-key  encryption  scheme  to 
be  unconditionally  secure  is  that  H(K)  > H(M).  That  is,  the  uncertainty  of  the  secret 
key  must  be  at  least  as  great  as  the  uncertainty  of  the  plaintext.  If  the  key  has  bitlength  k, 
and  the  key  bits  are  chosen  randomly  and  independently,  then  H ( K ) = k,  and  Shannon’s 
necessary  condition  for  unconditional  security  becomes  k > H(M).  The  one-time  pad  is 
unconditionally  secure  regardless  of  the  statistical  distribution  of  the  plaintext,  and  is  op- 
timal in  the  sense  that  its  key  is  the  smallest  possible  among  all  symmetric-key  encryption 
schemes  having  this  property. 

An  obvious  drawback  of  the  one-time  pad  is  that  the  key  should  be  as  long  as  the  plain- 
text, which  increases  the  difficulty  of  key  distribution  and  key  management.  This  moti- 
vates the  design  of  stream  ciphers  where  the  keystream  is  pseudorandomly  generated  from 
a smaller  secret  key,  with  the  intent  that  the  keystream  appears  random  to  a computation- 
ally bounded  adversary.  Such  stream  ciphers  do  not  offer  unconditional  security  (since 
H(K)  <C  H(M)),  but  the  hope  is  that  they  are  computationally  secure  (§1.13.3(iv)). 
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Stream  ciphers  are  commonly  classified  as  being  synchronous  or  self-synchronizing . 

(ii)  Synchronous  stream  ciphers 

6.2  Definition  A synchronous  stream  cipher  is  one  in  which  the  keystream  is  generated  inde- 
pendently of  the  plaintext  message  and  of  the  ciphertext. 

The  encryption  process  of  a synchronous  stream  cipher  can  be  described  by  the  equations 

&i+ 1 

Zi  = g{vi,k), 

Ci  = h(zi,  mf), 

where  <r(l  is  the  initial  state  and  may  be  determined  from  the  key  k.  f is  the  next-state 
function , g is  the  function  which  produces  the  keystream  z^,  and  h is  the  output  function 
which  combines  the  keystream  and  plaintext  rn,  to  produce  ciphertext  c, . The  encryption 
and  decryption  processes  are  depicted  in  Figure  6.1.  The  OFB  mode  of  a block  cipher  (see 
§7.2.2(iv))  is  an  example  of  a synchronous  stream  cipher. 

(i)  Encryption  (ii)  Decryption 

Plaintext  m4 
Ciphertext  c. 

Key  k 


Figure  6.1 : General  model  of  a synchronous  stream  cipher. 


6.3  Note  (properties  of  synchronous  stream  ciphers ) 

(i)  synchronization  requirements.  In  a synchronous  stream  cipher,  both  the  sender  and 
receiver  must  be  synchronized  - using  the  same  key  and  operating  at  the  same  posi- 
tion (state)  within  that  key  - to  allow  for  proper  decryption.  If  synchronization  is  lost 
due  to  ciphertext  digits  being  inserted  or  deleted  during  transmission,  then  decryption 
fails  and  can  only  be  restored  through  additional  techniques  for  re-synchronization. 
Techniques  for  re-synchronization  include  re-initialization,  placing  special  markers 
at  regular  intervals  in  the  ciphertext,  or,  if  the  plaintext  contains  enough  redundancy, 
trying  all  possible  keystream  offsets. 

(ii)  no  error  propagation.  A ciphertext  digit  that  is  modified  (but  not  deleted)  during 
transmission  does  not  affect  the  decryption  of  other  ciphertext  digits. 

(iii)  active  attacks.  As  a consequence  of  property  (i),  the  insertion,  deletion,  or  replay 
of  ciphertext  digits  by  an  active  adversary  causes  immediate  loss  of  synchronization, 
and  hence  might  possibly  be  detected  by  the  decryptor.  As  a consequence  of  property 
(ii),  an  active  adversary  might  possibly  be  able  to  make  changes  to  selected  ciphertext 
digits,  and  know  exactly  what  affect  these  changes  have  on  the  plaintext.  This  illus- 
trates that  additional  mechanisms  must  be  employed  in  order  to  provide  data  origin 
authentication  and  data  integrity  guarantees  (see  §9.5.4). 

Most  of  the  stream  ciphers  that  have  been  proposed  to  date  in  the  literature  are  additive 
stream  ciphers,  which  are  defined  below. 
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6.4  Definition  A binary  additive  stream  cipher  is  a synchronous  stream  cipher  in  which  the 
keystream,  plaintext,  and  ciphertext  digits  are  binary  digits,  and  the  output  function  h is  the 
XOR  function. 

Binary  additive  stream  ciphers  are  depicted  in  Figure  6.2.  Referring  to  Figure  6.2,  the 
keystream  generator  is  composed  of  the  next-state  function  / and  the  function  g (see  Fig- 
ure 6.1),  and  is  also  known  as  the  running  key  generator. 


(i)  Encryption  (ii)  Decryption 

Plaintext  mt 

Ciphertext  c* 


Figure  6.2:  General  model  of  a binary  additive  stream  cipher. 


(iii)  Self-synchronizing  stream  ciphers 

6.5  Definition  A self-synchronizing  or  asynchronous  stream  cipher  is  one  in  which  the  key- 
stream  is  generated  as  a function  of  the  key  and  a fixed  number  of  previous  ciphertext  digits. 

The  encryption  function  of  a self-synchronizing  stream  cipher  can  be  described  by  the 
equations 

rrj  — {pi-tiCi  — t- 1-1;...  l)j 

Zi  = 

Ci  = h(zi,  mi), 

where  oq  = ( c_t , C-t+i,  . . . , c_i)  is  the  (non-secret)  initial  state,  k is  the  key,  g is  the 
function  which  produces  the  keystream  z^,  and  h is  the  output  function  which  combines 
the  keystream  and  plaintext  to*  to  produce  ciphertext  c, . The  encryption  and  decryption 
processes  are  depicted  in  Figure  6.3.  The  most  common  presently-used  self-synchronizing 
stream  ciphers  are  based  on  block  ciphers  in  1-bit  cipher  feedback  mode  (see  §7.2.2(iii)). 

(i)  Encryption  (ii)  Decryption 


Figure  6.3:  General  model  of  a self-synchronizing  stream  cipher. 
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6.6  Note  (properties  of  self-synchronizing  stream  ciphers) 

(i)  self-synchronization.  Self-synchronization  is  possible  if  ciphertext  digits  are  deleted 
or  inserted,  because  the  decryption  mapping  depends  only  on  a fixed  number  of  pre- 
ceding ciphertext  characters.  Such  ciphers  are  capable  of  re-establishing  proper  de- 
cryption automatically  after  loss  of  synchronization,  with  only  a fixed  number  of 
plaintext  characters  unrecoverable. 

(ii)  limited  error  propagation.  Suppose  that  the  state  of  a self-synchronization  stream  ci- 
pher depends  on  t previous  ciphertext  digits.  If  a single  ciphertext  digit  is  modified 
for  even  deleted  or  inserted)  during  transmission,  then  decryption  of  up  to  t subse- 
quent ciphertext  digits  may  be  incorrect,  after  which  correct  decryption  resumes. 

(iii)  active  attacks.  Property  (ii)  implies  that  any  modification  of  ciphertext  digits  by  an 
active  adversary  causes  several  other  ciphertext  digits  to  be  decrypted  incorrectly, 
thereby  improving  (compared  to  synchronous  stream  ciphers)  the  likelihood  of  being 
detected  by  the  decryptor.  As  a consequence  of  property  (i),  it  is  more  difficult  (than 
for  synchronous  stream  ciphers)  to  detect  insertion,  deletion,  or  replay  of  ciphertext 
digits  by  an  active  adversary.  This  illustrates  that  additional  mechanisms  must  be 
employed  in  order  to  provide  data  origin  authentication  and  data  integrity  guarantees 
(see  §9.5.4). 

(iv)  diffusion  of  plaintext  statistics.  Since  each  plaintext  digit  influences  the  entire  fol- 
lowing ciphertext,  the  statistical  properties  of  the  plaintext  are  dispersed  through  the 
ciphertext.  Hence,  self-synchronizing  stream  ciphers  may  be  more  resistant  than  syn- 
chronous stream  ciphers  against  attacks  based  on  plaintext  redundancy. 


6.2  Feedback  shift  registers 

Feedback  shift  registers,  in  particular  linear  feedback  shift  registers,  are  the  basic  compo- 
nents of  many  keystream  generators.  §6.2.1  introduces  linear  feedback  shift  registers.  The 
linear  complexity  of  binary  sequences  is  studied  in  §6.2.2,  while  the  Berlekamp-Massey  al- 
gorithm for  computing  it  is  presented  in  §6.2.3.  Finally,  nonlinear  feedback  shift  registers 
are  discussed  in  §6.2.4. 


6.2.1  Linear  feedback  shift  registers 

Linear  feedback  shift  registers  (LFSRs)  are  used  in  many  of  the  keystream  generators  that 
have  been  proposed  in  the  literature.  There  are  several  reasons  for  this: 

1.  LFSRs  are  well-suited  to  hardware  implementation; 

2.  they  can  produce  sequences  of  large  period  (Fact  6.12); 

3.  they  can  produce  sequences  with  good  statistical  properties  (Fact  6.14);  and 

4.  because  of  their  structure,  they  can  be  readily  analyzed  using  algebraic  techniques. 

6.7  Definition  A linear  feedback  shift  register  (LFSR)  of  length  L consists  of  L stages  (or 
delay  elements)  numbered  0,1,...  , L — 1,  each  capable  of  storing  one  bit  and  having  one 
input  and  one  output;  and  a clock  which  controls  the  movement  of  data.  During  each  unit 
of  time  the  following  operations  are  performed: 

(i)  the  content  of  stage  0 is  output  and  forms  part  of  the  output  sequence', 
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(ii)  the  content  of  stage  i is  moved  to  stage  i 1 for  each  i,  1 < i < L — 1;  and 

(iii)  the  new  content  of  stage  L — 1 is  the  feedback  bit  sj  which  is  calculated  by  adding 
together  modulo  2 the  previous  contents  of  a fixed  subset  of  stages  0,1,...  ,L  — 1. 

Figure  6.4  depicts  an  LFSR.  Referring  to  the  figure,  each  c,;  is  either  0 or  1;  the  closed 
semi-circles  are  AND  gates;  and  the  feedback  bit  Sj  is  the  modulo  2 sum  of  the  contents  of 
those  stages  i.  0 < i < L — 1,  for  which  c^-i  = 1. 


Figure  6.4:  A linear  feedback  shift  register  (LFSR)  of  length  L. 


6.8  Definition  The  LFSR  of  Figure  6.4  is  denoted  (L,C(D)),  where  C(D)  = 1 + c\D  + 
c2D2  + ■ ■ ■ + clDl  G Z2[D]  is  the  connection  polynomial.  The  LFSR  is  said  to  be  non- 
singular if  the  degree  of  C(D)  is  L (that  is,  cl  = 1).  If  the  initial  content  of  stage  i is 
Si  € {0, 1}  for  each  i,  0 < i < L — 1,  then  [s£_i, ...  , si,  sq]  is  called  the  initial  state  of 

the  LFSR. 

6.9  Fact  If  the  initial  state  of  the  LFSR  in  Figure  6.4  is  [sx_i, . . . , .s-i,  .s(l],  then  the  output 
sequence  s = sq,  s2,  . . . is  uniquely  determined  by  the  following  recursion: 

sj  = ( ciSj-i  + c2Sj_2  H + cLSj_L)  mod  2 for  j > L. 

6.10  Example  ( output  sequence  of  an  LFSR)  Consider  the  LFSR  (4, 1 + D + D4}  depicted 
in  Figure  6.5.  If  the  initial  state  of  the  LFSR  is  [0, 0, 0, 0],  the  output  sequence  is  the  zero 
sequence.  The  following  tables  show  the  contents  of  the  stages  D3.  D>,  D\.  Dq  at  the  end 
of  each  unit  of  time  t when  the  initial  state  is  [0, 1, 1, 0]. 


t 

d3 

d2 

Dx 

D0 

— 

0 

1 

1 

0 

1 

0 

0 

1 

1 

2 

1 

0 

0 

1 

3 

0 

1 

0 

0 

4 

0 

0 

1 

0 

5 

0 

0 

0 

1 

6 

1 

0 

0 

0 

7 

1 

1 

0 

0 

t 

d3 

d2 

dy 

Do 

8 

1 

1 

1 

0 

9 

1 

1 

1 

1 

10 

0 

1 

1 

1 

11 

1 

0 

1 

1 

12 

0 

1 

0 

1 

13 

1 

0 

1 

0 

14 

1 

1 

0 

1 

15 

0 

1 

1 

0 

The  output  sequence  is  s = 0, 1, 1,0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 0, 1, . . .,  and  is  periodic  with 
period  15  (see  Definition  5.25).  □ 

The  significance  of  an  LFSR  being  non-singular  is  explained  by  Fact  6.11. 
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D 3 D2  D\  D0 


Figure  6.5:  The  LFSR  (4, 1 + D + DA)  of  Example  6.10. 


6.1 1 Fact  Every  output  sequence  (i.e.,  for  all  possible  initial  states)  of  an  LFSR  (L.  C(D))  is 
periodic  if  and  only  if  the  connection  polynomial  C(D)  has  degree  L. 

If  an  LFSR  (L,  C(D )}  is  singular  (i.e.,  C(D)  has  degree  less  than  L),  then  not  all  out- 
put sequences  are  periodic.  However,  the  output  sequences  are  ultimately  periodic ; that 
is,  the  sequences  obtained  by  ignoring  a certain  finite  number  of  terms  at  the  beginning 
are  periodic.  For  the  remainder  of  this  chapter,  it  will  be  assumed  that  all  LFSRs  are  non- 
singular. Fact  6.12  determines  the  periods  of  the  output  sequences  of  some  special  types  of 
non-singular  LFSRs. 

6.12  Fact  (periods  of  LFSR  output  sequences)  Let  C(D)  £ Z2  [D]  be  a connection  polynomial 
of  degree  L. 

(i)  If  C(D)  is  irreducible  over  Z2  (see  Definition  2.190),  then  each  of  the  2L  — 1 non- 
zero initial  states  of  the  non-singular  LFSR  (L,  C(D))  produces  an  output  sequence 
with  period  equal  to  the  least  positive  integer  N such  that  C(D ) divides  1 + DN  in 
Z2[£>].  (Note:  it  is  always  the  case  that  this  TV  is  a divisor  of  2 ■ — 1.) 

(ii)  If  C(D)  is  a primitive  polynomial  (see  Definition  2.228),  then  each  of  the  2L  1 non- 
zero initial  states  of  the  non-singular  LFSR  (L,  C(D))  produces  an  output  sequence 
with  maximum  possible  period  2L  — 1. 

A method  for  generating  primitive  polynomials  over  Z2  uniformly  at  random  is  given 
in  Algorithm  4.78.  Table  4.8  lists  a primitive  polynomial  of  degree  to  over  Z2  for  each  m, 
1 < to  < 229.  Fact  6.12(ii)  motivates  the  following  definition. 

6.13  Definition  If  C(D)  € Z 2[D]  is  a primitive  polynomial  of  degree  L.  then  ( L,C(D ))  is 
called  a maximum-length  LFSR.  The  output  of  a maximum-length  LFSR  with  non-zero  ini- 
tial state  is  called  an  m-sequence. 

Fact  6.14  demonstrates  that  the  output  sequences  of  maximum-length  LFSRs  have  good 
statistical  properties. 

6.14  Fact  ( statistical  properties  of  m-sequences)  Let  s be  an  m-sequence  that  is  generated  by 
a maximum-length  LFSR  of  length  L. 

(i)  Let  k be  an  integer,  1 < k < L.  and  let  s be  any  subsequence  of  s of  length  2L  + 
k — 2.  Then  each  non-zero  sequence  of  length  k appears  exactly  2 L k times  as  a 
subsequence  of  s.  Furthermore,  the  zero  sequence  of  length  k appears  exactly  2 L A 

1 times  as  a subsequence  of  s.  In  other  words,  the  distribution  of  patterns  having  fixed 
length  of  at  most  L is  almost  uniform. 

(ii)  s satisfies  Golomb’s  randomness  postulates  (§5.4.3).  That  is,  every  m-sequence  is 
also  a pn-sequence  (see  Definition  5.29). 


Handbook  of  Applied  Cryptography  by  A.  Menezes,  R van  Oorschot  and  S.  Vanstone. 


198 


Ch.  6 Stream  Ciphers 


6.15  Example  ( m-sequence ) Since  C(D)  = 1 + D + D4  is  a primitive  polynomial  over  Z2, 
the  LFSR  (4,1  + D + D 4)  is  a maximum-length  LFSR.  Flence,  the  output  sequence  of  this 
LFSR  is  an  m-sequence  of  maximum  possible  period  N = 24  — 1 = 15  (cf.  Example  6.10). 
Example  5.30  verifies  that  this  output  sequence  satisfies  Golomb’s  randomness  properties. 

□ 


6.2.2  Linear  complexity 

This  subsection  summarizes  selected  results  about  the  linear  complexity  of  sequences.  All 
sequences  are  assumed  to  be  binary  sequences.  Notation:  s denotes  an  infinite  sequence 
whose  terms  are  so,  si,  «2,  ■ ■ ■ ; sn  denotes  a finite  sequence  of  length  n whose  terms  are 
so,  s 1, . . . , <s„_i  (see  Definition  5.24). 

6.16  Definition  An  LFSR  is  said  to  generate  a sequence  s if  there  is  some  initial  state  for  which 
the  output  sequence  of  the  LFSR  is  s.  Similarly,  an  LFSR  is  said  to  generate  a finite  se- 
quence sn  if  there  is  some  initial  state  for  which  the  output  sequence  of  the  LFSR  has  s” 
as  its  first  n terms. 


6.17  Definition  The  linear  complexity  of  an  infinite  binary  sequence  s,  denoted  L(s),  is  defined 
as  follows: 

(i)  if  s is  the  zero  sequence  s = 0, 0, 0, . . . , then  L(s)  = 0; 

(ii)  if  no  LFSR  generates  s,  then  L(s)  = 00; 

(iii)  otherwise,  L(s)  is  the  length  of  the  shortest  LFSR  that  generates  s. 


6.18  Definition  The  linear  complexity  of  a finite  binary  sequence  sn,  denoted  L(s11),  is  the 
length  of  the  shortest  LFSR  that  generates  a sequence  having  sn  as  its  first  n terms. 

Facts  6.19  - 6.22  summarize  some  basic  results  about  linear  complexity. 


6.19 


Fact  (properties  of  linear  complexity ) Let  s and  t be  binary  sequences. 

(i)  For  any  n > 1,  the  linear  complexity  of  the  subsequence  ,s"  satisfies  0 < L(sn ) < n. 

(ii)  L(sn ) = 0 if  and  only  if  sn  is  the  zero  sequence  of  length  n. 

(iii)  L(sn)  = n if  and  only  if  sn  = 0, 0, 0, . . . ,0,1. 

(iv)  If  s is  periodic  with  period  N,  then  L(s)  < N. 

(v)  L(sffif)  < L(s)  + L(t),  where  s(Bt  denotes  the  bitwise  XOR  of  s and  t. 


6.20  Fact  If  the  polynomial  C(D)  €E  Z2  [D]  is  irreducible  over  Z2  and  has  degree  L,  then  each 
of  the  2l  — 1 non-zero  initial  states  of  the  non-singular  LFSR  (L,  C(D ))  produces  an  output 
sequence  with  linear  complexity  L. 


6.21  Fact  (expectation  and  variance  of  the  linear  complexity  of  a random  sequence)  Let  s"  be 
chosen  uniformly  at  random  from  the  set  of  all  binary  sequences  of  length  n,  and  let  L(sn) 
be  the  linear  complexity  of  sn.  Let  Bin)  denote  the  parity  function:  Bin)  = 0 if  n is  even; 
B(ri)  = 1 if  n is  odd. 

(i)  The  expected  linear  complexity  of  s"  is 

1 (n  2\ 

~ 2”  V3  + 9j  ' 

+ | if  n is  even,  and  E(L(sn ))  rs 

2"  I "Jg"  LL  ! O 10  WUU. 


EW’))  = f + Lt_|M 


Hence,  for  moderately  large  n,  E(L(s ")) 

n 1 5 „ 
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(ii)  The  variance  of  the  linear  complexity  of  sn  is  Var(L(s”))  = 


86  1 /14  -B(n)  82-2 B(n) 

81  ~~  2”  V 27  U + 81 


1 

^7 


-n  + — n + — 


27 


81 


Hence,  Var(L(sn))  ~ ||  for  moderately  large  n. 


6.22  Fact  ( expectation  of  the  linear  complexity  of  a random  periodic  sequence)  Let  ,s"  be  cho- 
sen uniformly  at  random  from  the  set  of  all  binary  sequences  of  length  n,  where  n = 2*  for 
some  fixed  t > 1,  and  let  s be  the  //-periodic  infinite  sequence  obtained  by  repeating  the 
sequence  sn.  Then  the  expected  linear  complexity  of  s is  E(L(sn ))  = n — 1 + 2_". 

The  linear  complexity  profile  of  a binary  sequence  is  introduced  next. 


6.23  Definition  Let  .s  = So,  £i, . . . be  a binary  sequence,  and  let  L,y  denote  the  linear  com- 
plexity of  the  subsequence  sN  = So}si, . . . , sjv-i,  N > 0.  The  sequence  L\,  L2, . . . 
is  called  the  linear  complexity  profile  of  s.  Similarly,  if  s"  = sg,  s±, . . . , sn- 1 is  a finite 
binary  sequence,  the  sequence  Li,  L2, ... . . ,Ln  is  called  the  linear  complexity  profile  of  sn. 

The  linear  complexity  profile  of  a sequence  can  be  computed  using  the  Berlekamp- 
Massey  algorithm  (Algorithm  6.30);  see  also  Note  6.31.  The  following  properties  of  the 
linear  complexity  profile  can  be  deduced  from  Fact  6.29. 


6.24  Fact  (properties  of  linear  complexity  profile)  Let  L\,  L->-  . . . be  the  linear  complexity  pro- 
file of  a sequence  s = s0,  si, . . . . 

(i)  If  j > i,  then  Lj  > Li. 

(ii)  Ljv+i  > Ln  is  possible  only  if  Ln  < N/2. 

(iii)  If  Ln+ 1 > Ln.  then  LN+1  + L N = N + 1 . 

The  linear  complexity  profile  of  a sequence  s can  be  graphed  by  plotting  the  points 
(■ N,Ln ),  N > 1,  in  the  N x L plane  and  joining  successive  points  by  a horizontal  line 
followed  by  a vertical  line,  if  necessary  (see  Figure  6.6).  Fact  6.24  can  then  be  interpreted  as 
saying  that  the  graph  of  a linear  complexity  profile  is  non-decreasing.  Moreover,  a (vertical) 
jump  in  the  graph  can  only  occur  from  below  the  line  L = N / 2;  if  a jump  occurs,  then  it  is 
symmetric  about  this  line.  Fact  6.25  shows  that  the  expected  linear  complexity  of  a random 
sequence  should  closely  follow  the  line  L = N/2. 

6.25  Fact  ( expected  linear  complexity  profile  of  a random  sequence)  Let  s = sg,s\,...  be  a 
random  sequence,  and  let  be  the  linear  complexity  of  the  subsequence  sN  = .s() . s 1 , . . . , 
.s,v  -j  for  each  N > 1.  For  any  fixed  index  N > 1,  the  expected  smallest  j for  which 
L]y+j  > Ln  is  2 if  Ln  < N/2.  or  2 + 2 Ln  — N if  Ln  > N/2.  Moreover,  the  expected 
increase  in  linear  complexity  is  2 if  Ln  > N/2,  or  N — 2 Ln  + 2 if  Ln  < N/2. 

6.26  Example  ( linear  complexity  profile)  Consider  the  20-periodic  sequence  s with  cycle 

s20  = 1,0, 0,1, 0,0, 1,1, 1,1, 0,0, 0,1, 0,0, 1,1, 1,0. 

The  linear  complexity  profile  of  s is  1, 1, 1,  3, 3,  3, 3,  5,  5,  5,  6,  6,  6, 8, 8, 8, 9, 9, 10, 10, 11, 
11, 11, 11, 14, 14, 14, 14, 15, 15, 15, 17, 17, 17, 18, 18, 19, 19, 19, 19, . ...  Figure  6.6  shows 
the  graph  of  the  linear  complexity  profile  of  s.  □ 
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L = L(sn ) 


Figure  6.6:  Linear  complexity  profile  of  the  20-periodic  sequence  of  Example  6.26. 


As  is  the  case  with  all  statistical  tests  for  randomness  (cf.  §5.4),  the  condition  that  a se- 
quence s have  a linear  complexity  profile  that  closely  resembles  that  of  a random  sequence 
is  necessary  but  not  sufficient  for  s to  be  considered  random.  This  point  is  illustrated  in  the 
following  example. 

6.27  Example  ( limitations  of  the  linear  complexity  profile ) The  linear  complexity  profile  of  the 
sequence  s defined  as 

_ ( 1,  if  i = 2?  — 1 for  some  j > 0, 

| 0,  otherwise, 

follows  the  line  L = N/2  as  closely  as  possible.  That  is,  L(sN ) = | (N  + l)/2j  for  all 
;V  > 1.  However,  the  sequence  s is  clearly  non-random.  □ 


6.2.3  Berlekamp-Massey  algorithm 

The  Berlekamp-Massey  algorithm  (Algorithm  6.30)  is  an  efficient  algorithm  for  determin- 
ing the  linear  complexity  of  a finite  binary  sequence  sn  of  length  n (see  Definition  6.18). 
The  algorithm  takes  n iterations,  with  the  iVth  iteration  computing  the  linear  complexity 
of  the  subsequence  sN  consisting  of  the  first  N terms  of  sn.  The  theoretical  basis  for  the 
algorithm  is  Fact  6.29. 

6.28  Definition  Consider  the  finite  binary  sequence  sN+1  = sq,  si,  .. . , sjv-i,  Sjv-  For  C(D) 
= 1 +ciD  + ■ — I-  clDl , let  (L,  C{D ))  be  an  LFSR  that  generates  the  subsequence  sN  = 
so,  si, . . . , ,s  v i . The  next  discrepancy  is  the  difference  between  sjv  and  the  (N  + l)st 
term  generated  by  the  LFSR:  djq  = (sj y + i ct.SN-i ) mod  2. 

6.29  Fact  Let  sN  = s0,  s1; . . . , s^v-i  be  a finite  binary  sequence  of  linear  complexity  L = 
L(sN),  and  let  (. L , C(D))  be  an  LFSR  which  generates  sN . 
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(i)  The  LFSR  (L,  C(D))  also  generates  sN+1  = sq,  si,  . , sjv-ii  Sjv  if  and  only  if  the 
next  discrepancy  djv  is  equal  to  0. 

(ii)  If  dM  = 0,  then  L(sN+1)  = L. 

(iii)  Suppose  d jv  = 1.  Let  m the  largest  integer  < N such  that  L(sm ) < L(sN ),  and  let 
(L(sm),  />’(/;))  be  an  LFSR  of  length  L(sm)  which  generates  sm.  Then  {!/,  C'{D )) 
is  an  LFSR  of  smallest  length  which  generates  .sjV  ' 1 , where 

T,=  j L,  if  L > N/2, 

\ N+l-L,  if L<  N/2, 

and  C(D)  = C{D)  + B(D)  ■ DN~m. 


6.30  Algorithm  Berlekamp-Massey  algorithm 

INPUT:  a binary  sequence  sn  = sq,  si,  S2,  ■ ■ ■ , sn  i of  length  n. 

OUTPUT:  the  linear  complexity  L(sn)  of  sn,  0 < L(sn)  < n. 

1.  Initialization.  C(D)<—  1,  0,  mi 1,  B(D)<—  1,  _/V<—  0. 

2.  While  ( N < n)  do  the  following: 

2.1  Compute  the  next  discrepancy  d.  d-^(sjy  + cisN-i ) mod  2. 

2.2  If  d—1  then  do  the  following: 

T(D)^C(D),  C(D)^C(D)  + B(D)  ■ DN-m. 

If  L < N/2  then  L^N  + 1 - L,  m^N,  B{D)^T(D). 

2.3  N<-N+l. 

3.  Return!  L). 


6.31  Note  ( intermediate  results  in  Berlekamp-Massey  algorithm ) At  the  end  of  each  iteration 
of  step  2,  (L,  C(D))  is  an  LFSR  of  smallest  length  which  generates  sN . Hence,  Algo- 
rithm 6.30  can  also  be  used  to  compute  the  linear  complexity  profile  (Definition  6.23)  of 
a finite  sequence. 

6.32  Fact  The  running  time  of  the  Berlekamp-Massey  algorithm  (Algorithm  6.30)  for  deter- 
mining the  linear  complexity  of  a binary  sequence  of  bitlength  n is  0(n2)  bit  operations. 

6.33  Example  (Berlekamp-Massey  algorithm)  Table  6.1  shows  the  steps  of  Algorithm  6.30  for 
computing  the  linear  complexity  of  the  binary  sequences”  = 0,0, 1, 1,0, 1, 1,  l,0oflength 
n = 9.  This  sequence  is  found  to  have  linear  complexity  5,  and  an  LFSR  which  generates 

it  is  (5,1  + D3  + D5).  □ 

6.34  Fact  Let  sn  be  a finite  binary  sequence  of  length  n,  and  let  the  linear  complexity  of  s”  be 
L.  Then  there  is  a unique  LFSR  of  length  L which  generates  s"  if  and  only  if  L < 

An  important  consequence  of  Fact  6.34  and  Fact  6.24(iii)  is  the  following. 

6.35  Fact  Let  s be  an  (infinite)  binary  sequence  of  linear  complexity  L , and  let  t he  a (finite) 
subsequence  of  s of  length  at  least  2 L.  Then  the  Berlekamp-Massey  algorithm  (with  step  3 
modified  to  return  both  L and  C(D))  on  input  t determines  an  LFSR  of  length  L which 
generates  s. 
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1 
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1 + D3 

3 

2 

1 

3 

1 

1 
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1 + D + D3 

3 

2 

1 

4 

0 

1 

1 + D + D3 

1 + D + D2  + D3 

3 

2 

1 

5 

1 

1 

1 + D + D2  + D3 

1 + D + D2 

3 

2 

1 

6 

1 

0 

1 + D + D'2  + D3 

1 + D + D2 

3 

2 

1 

7 

1 

1 

1 + D + D2 

1 + D + D2  + D5 

5 

7 

1 + D + D2 

8 

0 

1 

1 + D + D2  + D5 

1 + D3  + D5 

5 

7 

1+D+D 2 

9 

Table  6.1 : Steps  of  the  Berlekamp-Massey  algorithm  of  Example  6.33. 


6.2.4  Nonlinear  feedback  shift  registers 

This  subsection  summarizes  selected  results  about  nonlinear  feedback  shift  registers.  A 
function  with  n binary  inputs  and  one  binary  output  is  called  a Boolean  function  of  n vari- 
ables; there  are  22  different  Boolean  functions  of  n variables. 

6.36  Definition  A ( general)  feedback  shift  register  (FSR)  of  length  L consists  of  L stages  (or 
delay  elements)  numbered  0,1,...  , L — 1,  each  capable  of  storing  one  bit  and  having  one 
input  and  one  output,  and  a clock  which  controls  the  movement  of  data.  During  each  unit 
of  time  the  following  operations  are  performed: 

(i)  the  content  of  stage  0 is  output  and  forms  part  of  the  output  sequence', 

(ii)  the  content  of  stage  i is  moved  to  stage  i — 1 for  each  i,  1 < i < L — 1;  and 

(iii)  the  new  content  of  stage  L — 1 is  the  feedback  bit  sj  = f{sj- 1,  Sj-2,  • • • , Sj-i), 
where  the  feedback  function  f is  a Boolean  function  and  Sj  , is  the  previous  content 
of  stage  L — i,  1 < i < L. 

If  the  initial  content  of  stage  i is  Sj  G {0, 1}  for  each  0 <i<  L — 1,  then  [s^i, . . , ,si,so] 
is  called  the  initial  state  of  the  FSR. 

Figure  6.7  depicts  an  FSR.  Note  that  if  the  feedback  function  / is  a linear  function,  then 
the  FSR  is  an  LFSR  (Definition  6.7).  Otherwise,  the  FSR  is  called  a nonlinear  FSR. 


Figure  6.7:  A feedback  shift  register  (FSR)  of  length  L. 


6.37  Fact  If  the  initial  state  of  the  FSR  in  Figure  6.7  is  [s£_i, . . . , Si,  so],  then  the  output  se- 
quence s = so,  si,  S2, . . . is  uniquely  determined  by  the  following  recursion: 

si  = f(sj-i,Sj-2,  ■ ■ ■ ,Sj-L ) for  j > L. 
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6.38  Definition  An  FSR  is  said  to  be  non-singular  if  and  only  if  every  output  sequence  of  the 
FSR  (i.e.,  for  all  possible  initial  states)  is  periodic. 

6.39  Fact  AnFSR  withfeedbackfunction/(sJ_1,s:,_2,  • • • svSj-l)  is  non-  singular  if  and  only 
if  / is  of  the  form  / = Sj-l  0 g(sj-i,Sj-z, . . . , sj-l+i)  for  some  Boolean  function  g. 

The  period  of  the  output  sequence  of  a non-singular  FSR  of  length  L is  at  most  2L . 

6.40  Definition  If  the  period  of  the  output  sequence  (for  any  initial  state)  of  a non-singular  FSR 
of  length  L is  2L , then  the  FSR  is  called  a de  Bruijn  FSR , and  the  output  sequence  is  called 
a de  Bruijn  sequence. 

6.41  Example  {de  Bruijn  sequence ) Consider  the  FSR  of  length  3 with  nonlinear  feedback 
function  /(x i,  X2,  X3)  = l0X20X30xiX2.  The  following  tables  show  the  contents  of  the 
3 stages  of  the  FSR  at  the  end  of  each  unit  of  time  t when  the  initial  state  is  [0, 0, 0]. 


t 

Stage  2 

Stage  1 

Stage  0 

0 

0 

0 

0 

1 

1 

0 

0 

2 

1 

1 

0 

3 

1 

1 

1 

t 

Stage  2 

Stage  1 

Stage  0 

4 

0 

1 

1 

5 

1 

0 

1 

6 

0 

1 

0 

7 

0 

0 

1 

The  output  sequence  is  the  de  Bruijn  sequence  with  cycle  0, 0, 0,1,1, 1, 0, 1.  □ 

Fact  6.42  demonstrates  that  the  output  sequence  of  de  Bruijn  FSRs  have  good  statistical 
properties  (compare  with  Fact  6.14(i)). 

6.42  Fact  ( statistical  properties  of  de  Bruijn  sequences ) Let  s be  a de  Bruijn  sequence  that  is 
generated  by  a de  Bruijn  FSR  of  length  L.  Let  k be  an  integer,  1 < k < L,  and  let  s be  any 
subsequence  of  s of  length  2 L + k — 1.  Then  each  sequence  of  length  k appears  exactly 
2l  k times  as  a subsequence  of  s.  In  other  words,  the  distribution  of  patterns  having  fixed 
length  of  at  most  L is  uniform. 

6.43  Note  {converting  a maximum-length  LFSR  to  a de  Bruijn  FSR ) Let  If  be  a maximum- 
length  LFSR  of  length  L with  (linear)  feedback  function  f(sj  1,  Sj  ■> , . . . , Sj  1 ) . Then 
the  FSR  f?2  with  feedback  function  g(sj_i,  Sj_  2,  • ■ • , Sj-L,)  = f ® Sj-fSj-2  • • • ~Sj-L+i 
is  a de  Bruijn  FSR.  Here,  s,  denotes  the  complement  of  .s,.  The  output  sequence  of  If  is 
obtained  from  that  of  R\  by  simply  adding  a 0 to  the  end  of  each  subsequence  of  L — 1 0’s 
occurring  in  the  output  sequence  of  R\ . 


6.3  Stream  ciphers  based  on  LFSRs 

As  mentioned  in  the  beginning  of  §6.2.1,  linear  feedback  shift  registers  are  widely  used 
in  keystream  generators  because  they  are  well-suited  for  hardware  implementation,  pro- 
duce sequences  having  large  periods  and  good  statistical  properties,  and  are  readily  ana- 
lyzed using  algebraic  techniques.  Unfortunately,  the  output  sequences  of  LFSRs  are  also 
easily  predictable,  as  the  following  argument  shows.  Suppose  that  the  output  sequence  s of 
an  LFSR  has  linear  complexity  L.  The  connection  polynomial  C(D ) of  an  LFSR  of  length 
L which  generates  s can  be  efficiently  determined  using  the  Berlekamp-Massey  algorithm 
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(Algorithm  6.30)  from  any  (short)  subsequence  t of  s having  length  at  least  n = 2L  (cf. 
Fact  6.35).  Having  determined  C{D),  the  LFSR  (L.  C{D))  can  then  be  initialized  with 
any  substring  of  t having  length  L,  and  used  to  generate  the  remainder  of  the  sequence  s. 
An  adversary  may  obtain  the  required  subsequence  t of  s by  mounting  a known  or  chosen- 
plaintext  attack  (§1.13.1)  on  the  stream  cipher:  if  the  adversary  knows  the  plaintext  subse- 
quence mi,  m2,  ■ ■ • , rrin  corresponding  to  a ciphertext  sequence  ci,  C2, . . . , cn,  the  corre- 
sponding keystream  bits  are  obtained  as  TO,;0c,j,  1 < i < n. 

6.44  Note  (use  ofLFSRs  in  keystream  generators)  Since  a well-designed  system  should  be  se- 
cure against  known-plaintext  attacks,  an  LFSR  should  never  be  used  by  itself  as  a keystream 
generator.  Nevertheless,  LFSRs  are  desirable  because  of  their  very  low  implementation 
costs.  Three  general  methodologies  for  destroying  the  linearity  properties  of  LFSRs  are 
discussed  in  this  section: 

(i)  using  a nonlinear  combining  function  on  the  outputs  of  several  LFSRs  (§6.3.1); 

(ii)  using  a nonlinear  filtering  function  on  the  contents  of  a single  LFSR  (§6.3.2);  and 

(iii)  using  the  output  of  one  (or  more)  LFSRs  to  control  the  clock  of  one  (or  more)  other 
LFSRs  (§6.3.3). 

Desirable  properties  of  LFSR-based  keystream  generators 

For  essentially  all  possible  secret  keys,  the  output  sequence  of  an  LFSR-based  keystream 
generator  should  have  the  following  properties: 

1.  large  period; 

2.  large  linear  complexity;  and 

3.  good  statistical  properties  (e.g.,  as  described  in  Fact  6.14). 

It  is  emphasized  that  these  properties  are  only  necessary  conditions  for  a keystream  gen- 
erator to  be  considered  cryptographically  secure.  Since  mathematical  proofs  of  security  of 
such  generators  are  not  known,  such  generators  can  only  be  deemed  computationally  secure 
(§1.13.3(iv))  after  having  withstood  sufficient  public  scrutiny. 

6.45  Note  (connection  polynomial ) Since  a desirable  property  of  a keystream  generator  is  that 
its  output  sequences  have  large  periods,  component  LFSRs  should  always  be  chosen  to  be 
maximum-length  LFSRs,  i.e.,  the  LFSRs  should  be  of  the  form  (L.  C(D))  where  C(D)  C 
'Ll  [D]  is  a primitive  polynomial  of  degree  L (see  Definition  6.13  and  Fact  6.12(ii)). 

6.46  Note  (known  vs.  secret  connection  polynomial)  The  LFSRs  in  an  LFSR-based  keystream 
generator  may  have  known  or  secret  connection  polynomials.  For  known  connections,  the 
secret  key  generally  consists  of  the  initial  contents  of  the  component  LFSRs.  For  secret 
connections,  the  secret  key  for  the  keystream  generator  generally  consists  of  both  the  initial 
contents  and  the  connections. 

For  LFSRs  of  length  L with  secret  connections,  the  connection  polynomials  should  be 
selected  uniformly  at  random  from  the  set  of  all  primitive  polynomials  of  degree  L over  Z2 . 
Secret  connections  are  generally  recommended  over  known  connections  as  the  former  are 
more  resistant  to  certain  attacks  which  use  precomputation  for  analyzing  the  particular  con- 
nection, and  because  the  former  are  more  amenable  to  statistical  analysis.  Secret  connection 
LFSRs  have  the  drawback  of  requiring  extra  circuitry  to  implement  in  hardware.  However, 
because  of  the  extra  security  possible  with  secret  connections,  this  cost  may  sometimes  be 
compensated  for  by  choosing  shorter  LFSRs. 
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6.47  Note  ( sparse  vs.  dense  connection  polynomial)  For  implementation  purposes,  it  is  advan- 
tageous to  choose  an  LFSR  that  is  sparse;  i.e.,  only  a few  of  the  coefficients  of  the  con- 
nection polynomial  are  non-zero.  Then  only  a small  number  of  connections  must  be  made 
between  the  stages  of  the  LFSR  in  order  to  compute  the  feedback  bit.  For  example,  the  con- 
nection polynomial  might  be  chosen  to  be  a primitive  trinomial  (cf.  Table  4.8).  Flowever,  in 
some  LFSR-based  keystream  generators,  special  attacks  can  be  mounted  if  sparse  connec- 
tion polynomials  are  used.  Hence,  it  is  generally  recommended  not  to  use  sparse  connection 
polynomials  in  LFSR-based  keystream  generators. 


6.3.1  Nonlinear  combination  generators 

One  general  technique  for  destroying  the  linearity  inherent  in  LFSRs  is  to  use  several  LF- 
SRs in  parallel.  The  keystream  is  generated  as  a nonlinear  function  / of  the  outputs  of  the 
component  LFSRs;  this  construction  is  illustrated  in  Figure  6.8.  Such  keystream  generators 
are  called  nonlinear  combination  generators,  and  / is  called  the  combining  function.  The 
remainder  of  this  subsection  demonstrates  that  the  function  / must  satisfy  several  criteria 
in  order  to  withstand  certain  particular  cryptographic  attacks. 


keystream 


Figure  6.8:  A nonlinear  combination  generator,  f is  a nonlinear  combining  function. 


6.48  Definition  A product  of  m distinct  variables  is  called  an  mth  order  product  of  the  vari- 
ables. Every  Boolean  function  f(x  i,  X2, ...  ,xn)  can  be  written  as  a modulo  2 sum  of  dis- 
tinct mth  order  products  of  its  variables,  0 < m < n;  this  expression  is  called  the  algebraic 
normal  form  of  /.  The  nonlinear  order  of  / is  the  maximum  of  the  order  of  the  terms  ap- 
pearing in  its  algebraic  normal  form. 

For  example,  the  Boolean  function  f(x i,  X2,  x^,x^,xf)  = 1 ® 12  ® ^3  ffi  X4X5  0 
X1X3X4X5  has  nonlinear  order  4.  Note  that  the  maximum  possible  nonlinear  order  of  a 
Boolean  function  in  n variables  is  n.  Fact  6.49  demonstrates  that  the  output  sequence  of 
a nonlinear  combination  generator  has  high  linear  complexity,  provided  that  a combining 
function  / of  high  nonlinear  order  is  employed. 

6.49  Fact  Suppose  that  77  maximum-length  LFSRs,  whose  lengths  Li,  L2,  ••  • , Ln  are  pairwise 
distinct  and  greater  than  2,  are  combined  by  a nonlinear  function  /(x  1,  X2, . . . , x„j  (as  in 
Figure  6.8)  which  is  expressed  in  algebraic  normal  form.  Then  the  linear  complexity  of  the 
keystream  is  f{L\,  L-2,  .. . ,Ln).  (The  expression  f{L\,  L2,  ■■  ■ , Ln)  is  evaluated  over  the 
integers  rather  than  over  Z2 .) 
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6.50  Example  ( Geffe  generator)  The  Geffe  generator,  as  depicted  in  Figure  6.9,  is  defined  by 
three  maximum-length  LFSRs  whose  lengths  L\ , L-2 , L3  are  pairwise  relatively  prime,  with 
nonlinear  combining  function 

f(x  1,X2,X3)  = X1X2  0 (1  + x2)x3  = X1X2  0 X2X3  0 x3. 

The  keystream  generated  has  period  (2Ll  — 1)  • (21,2  — 1)  • ( 2Ls  — 1)  and  linear  complexity 
L = L1L2  + L2L3  + T3. 


keystream 


Figure  6.9:  The  Geffe  generator. 


The  Geffe  generator  is  cryptographically  weak  because  information  about  the  states  of 
LFSR  1 and  LFSR  3 leaks  into  the  output  sequence.  To  see  this,  let  x\  (t),  X2  (t),  X3  (t),  z(t) 
denote  the  fth  output  bits  of  LFSRs  1,  2,  3 and  the  keystream,  respectively.  Then  the  cor- 
relation probability  of  the  sequence  x\  (t)  to  the  output  sequence  z(t)  is 

P(z(t)  = Xi{t))  = P{x2(t)  = 1)  + P(x2(t)  = 0)  ■ P(x3(t)  = xi(f)) 

1 113 

“ 2 + 2 ’ 2 “ 4' 

Similarly,  P(z(t)  = X3 (f))  = |.  For  this  reason,  despite  having  high  period  and  mod- 
erately high  linear  complexity,  the  Geffe  generator  succumbs  to  correlation  attacks,  as  de- 
scribed in  Note  6.51.  □ 

6.51  Note  ( correlation  attacks)  Suppose  that  n maximum-length  LFSRs  ii-j , R-> . . . . . Rn  of 
lengths  Li , L2 , . . . , Ln  are  employed  in  a nonlinear  combination  generator.  If  the  connec- 
tion polynomials  of  the  LFSRs  and  the  combining  function  / are  public  knowledge,  then 
the  number  of  different  keys  of  the  generator  is  nlLi  (2/'<  — 1).  (A  key  consists  of  the  ini- 
tial states  of  the  LFSRs.)  Suppose  that  there  is  a correlation  between  the  keystream  and 
the  output  sequence  of  R\.  with  correlation  probability  p > If  a sufficiently  long  seg- 
ment of  the  keystream  is  known  (e.g.,  as  is  possible  under  a known-plaintext  attack  on  a 
binary  additive  stream  cipher),  the  initial  state  of  R\  can  be  deduced  by  counting  the  num- 
ber of  coincidences  between  the  keystream  and  all  possible  shifts  of  the  output  sequence 
of  f?i,  until  this  number  agrees  with  the  correlation  probability  p.  Under  these  conditions, 
finding  the  initial  state  of  R\  will  take  at  most  2Ll  — 1 trials.  In  the  case  where  there  is 
a correlation  between  the  keystream  and  the  output  sequences  of  each  of  Ri,  f?2,  • ■ ■ , Rn. 
the  (secret)  initial  state  of  each  LFSR  can  be  determined  independently  in  a total  of  about 
]P”=1( 2Li  — 1)  trials;  this  number  is  far  smaller  than  the  total  number  of  different  keys. 
In  a similar  manner,  correlations  between  the  output  sequences  of  particular  subsets  of  the 
LFSRs  and  the  keystream  can  be  exploited. 

In  view  of  Note  6.51,  the  combining  function  / should  be  carefully  selected  so  that 
there  is  no  statistical  dependence  between  any  small  subset  of  the  n LFSR  sequences  and 
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the  keystream.  This  condition  can  be  satisfied  if  / is  chosen  to  be  mth-order  correlation 
immune. 

6.52  Definition  Let  Xi,  X?, . . . . Xn  he  independent  binary  variables,  each  taking  011  the  val- 
ues 0 or  1 with  probability  |.  A Boolean  function  f(x i,x%,  • ■ ■ , xn ) is  mth-order  corre- 
lation immune  if  for  each  subset  of  m random  variables  , Xj2 , . . . , Xirn  with  1 < i\  < 
*2  < ■ ■ ■ < L tj  < n,  the  random  variable  Z = / (Xi . X-> . . . . , Xn)  is  statistically  indepen- 
dent of  the  random  vector  (X.h  ,Xi2t...  , Xirn ) ; equivalently,  I(Z-,  Xix , Xi2 , . . . , Xirn ) = 
0 (see  Definition  2.45). 

For  example,  the  function  f(x  1,  X2, . . . , xn)  = xi  0 X2  0 ■ ■ ■ ffi  xn  is  (n  — l)th- 
order  correlation  immune.  In  light  of  Fact  6.49,  the  following  shows  that  there  is  a tradeoff 
between  achieving  high  linear  complexity  and  high  correlation  immunity  with  a combining 
function. 

6.53  Fact  If  a Boolean  function /(xi,  X2,  • • • , xn)  is  mth -order  correlation  immune,  where  1 < 
m < n,  then  the  nonlinear  order  of  / is  at  most  n rn.  Moreover,  if  / is  balanced  (i.e., 
exactly  half  of  the  output  values  of  / are  0)  then  the  nonlinear  order  of  / is  at  most  n — m—1 
for  1 < m < n — 2. 

The  tradeoff  between  high  linear  complexity  and  high  correlation  immunity  can  be 
avoided  by  permitting  memory  in  the  nonlinear  combination  function  /.  This  point  is  il- 
lustrated by  the  summation  generator. 

6.54  Example  ( summation  generator)  The  combining  function  in  the  summation  generator  is 
based  on  the  fact  that  integer  addition,  when  viewed  over  Z2,  is  a nonlinear  function  with 
memory  whose  correlation  immunity  is  maximum.  To  see  this  in  the  case  n = 2,  let  a = 
am_i2m_1+-  • -+ai2+oo  and  b = bnl  ]2"‘  1 !-•  • -+&i2+6o  be  the  binary  representations 
of  integers  a and  b.  Then  the  bits  of  z = a + b are  given  by  the  recursive  formula: 

Zj  = fi(a,j , bj,  Cj-i)  = aj  0 bj  0 Cj_i  0 < j < m, 

Cj  = h {<ij  ■ bj;  Cj  1 ) aj  bj  0 (<ij  ..T  bj  )c.j  1 . ()  < j < rn  1 . 

where  Cj  is  the  carry  bit,  and  c_i  = am  = bm  = 0.  Note  that  fi  is  2nd-order  corre- 
lation immune,  while  ji  is  a memoryless  nonlinear  function.  The  carry  bit  cj- 1 carries 
all  the  nonlinear  influence  of  less  significant  bits  of  a and  b (namely,  a.j _ 1 , . . . , aj,  a 0 and 
bj- 1,  • ■ ■ , bi,bo). 

The  summation  generator,  as  depicted  in  Figure  6.10,  is  defined  by  n maximum-length 
LFSRs  whose  lengths  Li,  L2,  ■ ■ ■ ,Ln  are  pairwise  relatively  prime.  The  secret  key  con- 


Figure  6. 10:  The  summation  generator: 
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sists  of  the  initial  states  of  the  LFSRs,  and  an  initial  (integer)  carry  Cq.  The  keystream 
is  generated  as  follows.  At  time  j ( j > 1),  the  LFSRs  are  stepped  producing  output  bits 
xi,  X2,  ■ ■ ■ , xn,  and  the  integer  sum  Sj  = x%  + Cj  i is  computed.  The  keystream 

bit  is  Sj  mod  2 (the  least  significant  bit  of  Sj),  while  the  new  carry  is  computed  as  Cj  = 
[S’j /2J  (the  remaining  bits  of  Sj).  The  period  of  the  keystream  is  nl.Li  (2L’  — 1).  while  its 
linear  complexity  is  close  to  this  number. 

Even  though  the  summation  generator  has  high  period,  linear  complexity,  and  corre- 
lation immunity,  it  is  vulnerable  to  certain  correlation  attacks  and  a known-plaintext  attack 
based  on  its  2-adic  span  (see  page  218).  □ 


6.3.2  Nonlinear  filter  generators 

Another  general  technique  for  destroying  the  linearity  inherent  in  LFSRs  is  to  generate  the 
keystream  as  some  nonlinear  function  of  the  stages  of  a single  LFSR;  this  construction  is 
illustrated  in  Figure  6.11.  Such  keystream  generators  are  called  nonlinear  filter  generators, 
and  / is  called  the  filtering  function. 


keystream 


Figure  6.11 : A nonlinear  filter  generator:  f is  a nonlinear  Boolean  filtering  function. 


Fact  6.55  describes  the  linear  complexity  of  the  output  sequence  of  a nonlinear  filter 
generator. 

6.55  Fact  Suppose  that  a nonlinear  filter  generator  is  constructed  using  a maximum-length 
LFSR  of  length  L and  a filtering  function  / of  nonlinear  order  m (as  in  Figure  6.11). 

(i)  ( Key’s  bound)  The  linear  complexity  of  the  keystream  is  at  most  Lrn  = Ot ) • 

(ii)  For  a fixed  maximum-length  LFSR  of  prime  length  L,  the  fraction  of  Boolean  func- 
tions / of  nonlinear  order  m which  produce  sequences  of  maximum  linear  complex- 
ity Lm  is 

Pm  ~ exp (~Lm/(L  ■ 2l))  > e~1/L. 

Therefore,  for  large  L,  most  of  the  generators  produce  sequences  whose  linear  com- 
plexity meets  the  upper  bound  in  (i). 

The  nonlinear  function  / selected  for  a filter  generator  should  include  many  terms  of 
each  order  up  to  the  nonlinear  order  of  /. 
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6.56  Example  {knapsack generator)  The  knapsack  keystream  generator  is  defined  by  a maxim- 
um-length LFSR  (L,  C(D))  and  a modulus  Q = 2L.  The  secret  key  consists  of  L knapsack 
integer  weights  a-i,  o2, . . . , <il  each  of  bitlength  L,  and  the  initial  state  of  the  LFSR.  Re- 
call that  the  subset  sum  problem  (§3.10)  is  to  determine  a subset  of  the  knapsack  weights 
which  add  up  to  a given  integer  s,  provided  that  such  a subset  exists;  this  problem  is  NP- 
hard  (Fact  3.91).  The  keystream  is  generated  as  follows:  at  time  j,  the  LFSR  is  stepped 
and  the  knapsack  sum  Sj  = ^2f=1  XjO,  mod  Q is  computed,  where  [xl,  ...  , X2,  xi\  is  the 
state  of  the  LFSR  at  time  j.  Finally,  selected  bits  of  Sj  (after  Sj  is  converted  to  its  binary 
representation)  are  extracted  to  form  part  of  the  keystream  (the  [lg  L]  least  significant  bits 
of  Sj  should  be  discarded).  The  linear  complexity  of  the  keystream  is  then  virtually  certain 
to  be  L(2l  — 1). 

Since  the  state  of  an  LFSR  is  a binary  vector,  the  function  which  maps  the  LFSR  state 
to  the  knapsack  sum  Sj  is  indeed  nonlinear.  Explicitly,  let  the  function  / be  defined  by 
f(x ) = Ylt=i  Xia,j  mod  Q,  where  x = [xl,  . . . , X2,xi\  is  a state.  If  x and  y are  two 
states  then,  in  general,  f(x  0 y)  ^ f(x)  + f{y).  □ 


6.3.3  Clock-controlled  generators 

In  nonlinear  combination  generators  and  nonlinear  filter  generators,  the  component  LFSRs 
are  clocked  regularly;  i.e.,  the  movement  of  data  in  all  the  LFSRs  is  controlled  by  the  same 
clock.  The  main  idea  behind  a clock-controlled  generator  is  to  introduce  nonlinearity  into 
LFSR-based  keystream  generators  by  having  the  output  of  one  LFSR  control  the  clocking 
(i.e.,  stepping)  of  a second  LFSR.  Since  the  second  LFSR  is  clocked  in  an  irregular  manner, 
the  hope  is  that  attacks  based  on  the  regular  motion  of  LFSRs  can  be  foiled.  Two  clock- 
controlled  generators  are  described  in  this  subsection:  (i)  the  alternating  step  generator  and 
(ii)  the  shrinking  generator. 

(i)  The  alternating  step  generator 

The  alternating  step  generator  uses  an  LFSR  Ri  to  control  the  stepping  of  two  LFSRs,  R> 
and  f?3.  The  keystream  produced  is  the  XOR  of  the  output  sequences  of  R>  and  R3. 


6.57  Algorithm  Alternating  step  generator 

SUMMARY:  a control  LFSR  Ri  is  used  to  selectively  step  two  other  LFSRs,  R>  and  R3 . 
OUTPUT:  a sequence  which  is  the  bitwise  XOR  of  the  output  sequences  of  R2  and  R3. 
The  following  steps  are  repeated  until  a keystream  of  desired  length  is  produced. 

1.  Register  Ri  is  clocked. 

2.  If  the  output  of  f?i  is  1 then: 

R-2  is  clocked;  R3  is  not  clocked  but  its  previous  output  bit  is  repeated. 

(For  the  first  clock  cycle,  the  “previous  output  bit”  of  R3  is  taken  to  be  0.) 

3.  If  the  output  of  i?i  is  0 then: 

f?3  is  clocked;  R2  is  not  clocked  but  its  previous  output  bit  is  repeated. 

(For  the  first  clock  cycle,  the  “previous  output  bit”  of  R2  is  taken  to  be  0.) 

4.  The  output  bits  of  R2  and  R3  are  XORed;  the  resulting  bit  is  part  of  the  keystream. 


More  formally,  let  the  output  sequences  of  LFSRs  Ri,  R>,  and  R:i  be  a 0,  01, 02, . . . , 
bo,  61,  62, ... , and  co,  c\,  C2  . . . , respectively.  Define  1 = C-i  = 0.  Then  the  keystream 
produced  by  the  alternating  step  generator  is  Xq,  x±,  X2,  ■ ■ ■ , where  Xj  = bt^  0 1 
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and  t(j)  = (Ei„  Oj)  - 1 for  all  j > 0.  The  alternating  step  generator  is  depicted  in 
Figure  6.12. 


clock 


output 


Figure  6. 12:  The  alternating  step  generator. 


6.58  Example  ( alternating  step  generator  with  artificially  small  parameters)  Consider  an  al- 
ternating step  generator  with  component  LFSRs  Ri  = (3, 1 + D2  + D3),  R->  — (4, 1 + 
D3  + D4),  and  i?3  = (5, 1 + D + D3  + D4  + D5).  Suppose  that  the  initial  states  of  Ri, 
f?2.  and  f?3  are  [0, 0, 1],  [1, 0, 1, 1],  and  [0, 1, 0, 0, 1],  respectively.  The  output  sequence  of 
Ri  is  the  7-periodic  sequence  with  cycle 

a 7 = 1,0, 0,1, 0,1,1. 

The  output  sequence  of  R > is  the  15-periodic  sequence  with  cycle 
b15  = 1,1, 0,1, 0,1, 1,1, 1,0, 0,0, 1,0,0. 


The  output  sequence  of  R:i  is  the  31 -periodic  sequence  with  cycle 


c31  = 1,0, 0,1, 0,1, 0,1, 1,0, 0,0, 0,1, 1,1, 0,0, 1,1, 0,1, 1,1, 1,1, 0,1, 0,0,0. 


The  keystream  generated  is 


x 


1,0, 1,1, 1,0, 1,0, 1,0, 1,0, 0,0, 0,1, 0,1, 1,1, 1,0, 1,1, 0,0, 0,1, 1,1,0, 


□ 


Fact  6.59  establishes,  under  the  assumption  that  Ri  produces  a de  Bruijn  sequence  (see 
Definition  6.40),  that  the  output  sequence  of  an  alternating  step  generator  satisfies  the  basic 
requirements  of  high  period,  high  linear  complexity,  and  good  statistical  properties. 


6.59  Fact  (properties  of  the  alternating  step  generator)  Suppose  that  f?i  produces  a de  Bruijn 
sequence  of  period  2Ll . Furthermore,  suppose  that  R>  and  f?3  are  maximum-length  LFSRs 
of  lengths  L2  and  L3,  respectively,  such  that  gcd(L2,  T3)  = 1.  Let  x be  the  output  sequence 
of  the  alternating  step  generator  formed  by  Ri,  R2,  and  f?3. 

(i)  The  sequence  x has  period  2Ll  • (2i2  — 1)  • (2i3  — 1). 

(ii)  The  linear  complexity  L(x)  of  x satisfies 

(L2  + T3)  < L(x)  < (L2+L3)-2Ll. 

(iii)  The  distribution  of  patterns  in  x is  almost  uniform.  More  precisely,  let  P be  any  bi- 
nary string  of  length  t hits,  where  t < min(L2,  L3).  Ifx(f)  denotes  any  t consecutive 
bits  in  x,  then  the  probability  that  x(t)  = P is  (|)*  + 0( l/2L2~t)  + 0( l/2Ls~t). 

Since  a de  Bruijn  sequence  can  be  obtained  from  the  output  sequence  s of  a maximum- 
length  LFSR  (of  length  L)  by  simply  adding  a 0 to  the  end  of  each  subsequence  ofL  1 0’s 
occurring  in  s (see  Note  6.43),  it  is  reasonable  to  expect  that  the  assertions  of  high  period. 
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high  linear  complexity,  and  good  statistical  properties  in  Fact  6.59  also  hold  when  Ri  is  a 
maximum-length  LFSR.  Note,  however,  that  this  has  not  yet  been  proven. 

6.60  Note  ( security  of  the  alternating  step  generator)  The  LFSRs  R1,  f?2,  R3  should  be  cho- 
sen to  be  maximum-length  LFSRs  whose  lengths  L\,  L2,  L:i  are  pairwise  relatively  prime: 
gcd(Li,L2)  = 1,  gcd(L2,  L3)  = 1,  gcd(Li,  L3)  = 1.  Moreover,  the  lengths  should  be 
about  the  same.  If  L\  « /,  L > ra  l,  and  L:i  m l,  the  best  known  attack  on  the  alternating 
step  generator  is  a divide-and-conquer  attack  on  the  control  register  f?i  which  takes  ap- 
proximately 2l  steps.  Thus,  if  l sa  128,  the  generator  is  secure  against  all  presently  known 
attacks. 

(ii)  The  shrinking  generator 

The  shrinking  generator  is  a relatively  new  keystream  generator,  having  been  proposed  in 
1993.  Nevertheless,  due  to  its  simplicity  and  provable  properties,  it  is  a promising  candi- 
date for  high-speed  encryption  applications.  In  the  shrinking  generator,  a control  LFSR  f?i 
is  used  to  select  a portion  of  the  output  sequence  of  a second  LFSR  f?2.  The  keystream 
produced  is,  therefore,  a shrunken  version  ( also  known  as  an  irregularly  decimated  subse- 
quence) of  the  output  sequence  of  f?2,  as  specified  in  Algorithm  6.61  and  depicted  in  Fig- 
ure 6.13. 


6.61  Algorithm  Shrinking  generator 

SUMMARY:  a control  LFSR  Ri  is  used  to  control  the  output  of  a second  LFSR  i?2 . 
The  following  steps  are  repeated  until  a keystream  of  desired  length  is  produced. 

1.  Registers  R\  and  f?2  are  clocked. 

2.  If  the  output  of  Ri  is  1,  the  output  bit  of  f?2  forms  part  of  the  keystream. 

3.  If  the  output  of  R1  is  0,  the  output  bit  of  f?2  is  discarded. 


More  formally,  let  the  output  sequences  of  LFSRs  R\  and  R>  be  ao,  01,  o2, . . . and 
bo,  bi,  62,  ■ ■ ■ , respectively.  Then  the  keystream  produced  by  the  shrinking  generator  is 
xq,  xi,  x2, . . . , where  Xj  = b^,  and,  for  each  j > 0,  ij  is  the  position  of  the  jth  1 in  the 
sequence  oq,  a 1,  a2, . . . . 


clock 


LFSR  Ri 

1 

1 

1 

1 

1 

1 

LFSR  R.2 

bi  = \ 

a*  = 0 


output  bi 
discard  bt 


Figure  6. 13:  The  shrinking  generator. 


6.62  Example  ( shrinking  generator  with  artificially  small  parameters)  Consider  a shrinking 
generator  with  component  LFSRs  Ri  = (3, 1 + D + D3)  and  R>  — (5, 1 + D3  + D5). 
Suppose  that  the  initial  states  of  Ri  and  R>  are  [1,  0, 0]  and  [0, 0, 1, 0, 1],  respectively.  The 
output  sequence  of  Ri  is  the  7-periodic  sequence  with  cycle 

a7  = 0,0, 1,1,1,  0,1, 
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while  the  output  sequence  of  R>  is  the  31-periodic  sequence  with  cycle 


631  = 1,0, 1,0,  0,0,  0,1,  0,0, 1,0, 1,1,  0,0, 1,1, 1,1, 1,0, 0,0, 1,1, 0,1, 1,1,0. 


The  keystream  generated  is 


x 


1, 0,0, 0,0, 1,0,1, 1,1,1, 1, 0,1,1, 1, 0,.. . . 


□ 


Fact  6.63  establishes  that  the  output  sequence  of  a shrinking  generator  satisfies  the  basic 
requirements  of  high  period,  high  linear  complexity,  and  good  statistical  properties. 


6.63  Fact  ( properties  of  the  shrinking  generator)  Let  If  and  R->  be  maximum-length  LFSRs  of 
lengths  L\  and  L->,  respectively,  and  let  x be  an  output  sequence  of  the  shrinking  generator 
formed  by  R\  and  If . 

(i)  If  gcd(Li,  1/2 ) — 1,  then  x has  period  (21,2  — 1)  • 2Ll-1. 

(ii)  The  linear  complexity  L(x)  of  x satisfies 

L-2  • 2 1,1-2  < L(x)  < L-2  • 2Ll~1. 

(iii)  Suppose  that  the  connection  polynomials  for  If  and  If  are  chosen  uniformly  at  ran- 
dom from  the  set  of  all  primitive  polynomials  of  degrees  L\  and  L > over  Z2.  Then 
the  distribution  of  patterns  in  x is  almost  uniform.  More  precisely,  if  P is  any  binary 
string  of  length  t bits  and  x(t ) denotes  any  t consecutive  bits  in  x,  then  the  probability 
that  x(t)  = P is  (i)*  + 0{t'/2Lf. 

6.64  Note  (security  of  the  shrinking  generator)  Suppose  that  the  component  LFSRs  If  and  If 
of  the  shrinking  generator  have  lengths  L\  and  L->,  respectively.  If  the  connection  polyno- 
mials for  Ri  and  AT  are  known  (but  not  the  initial  contents  of  R\  and  R2 ),  the  best  attack 
known  for  recovering  the  secret  key  takes  0(2Ll  ■ if ) steps.  On  the  other  hand,  if  secret 
(and  variable)  connection  polynomials  are  used,  the  best  attack  known  takes  0(22L  ■ Li  ■ 
L2)  steps.  There  is  also  an  attack  through  the  linear  complexity  of  the  shrinking  generator 
which  takes  0( 2Ll  ■ L'f)  steps  (regardless  of  whether  the  connections  are  known  or  secret), 
but  this  attack  requires  27'  ■ L>  consecutive  bits  from  the  output  sequence  and  is,  therefore, 
infeasible  for  moderately  large  L\  and  L > . For  maximum  security,  R\  and  R->  should  be 
maximum-length  LFSRs,  and  their  lengths  should  satisfy  gcdfLi,  L2)  — 1.  Moreover,  se- 
cret connections  should  be  used.  Subject  to  these  constraints,  if  L\  l and  L2  ~ l,  the 
shrinking  generator  has  a security  level  approximately  equal  to  22/.  Thus,  if  L\  Ri  64  and 
L2  rs  64,  the  generator  appears  to  be  secure  against  all  presently  known  attacks. 


6.4  Other  stream  ciphers 

While  the  LFSR-based  stream  ciphers  discussed  in  §6.3  are  well-suited  to  hardware  im- 
plementation, they  are  not  especially  amenable  to  software  implementation.  This  has  led 
to  several  recent  proposals  for  stream  ciphers  designed  particularly  for  fast  software  imple- 
mentation. Most  of  these  proposals  are  either  proprietary,  or  are  relatively  new  and  have  not 
received  sufficient  scrutiny  from  the  cryptographic  community;  for  this  reason,  they  are  not 
presented  in  this  section,  and  instead  only  mentioned  in  the  chapter  notes  on  page  222. 

Two  promising  stream  ciphers  specifically  designed  for  fast  software  implementation 
are  SEAL  and  RC4.  SEAL  is  presented  in  §6.4.1.  RC4  is  used  in  commercial  products, 
and  has  a variable  key-size,  but  it  remains  proprietary  and  is  not  presented  here.  Two 
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other  widely  used  stream  ciphers  not  based  on  LFSRs  are  the  Output  Feedback  (OFB;  see 
§7.2.2(iv))  and  Cipher  Feedback  (CFB;  see  §7.2.2(iii))  modes  of  block  ciphers.  Another 
class  of  keystream  generators  not  based  on  LFSRs  are  those  whose  security  relies  on  the 
intractability  of  an  underlying  number-theoretic  problem;  these  generators  are  much  slower 
than  those  based  on  LFSRs  and  are  discussed  in  §5.5. 


6.4.1  SEAL 

SEAL  (Software-optimized  Encryption  Algorithm)  is  a binary  additive  stream  cipher  (see 
Definition  6.4)  that  was  proposed  in  1993.  Since  it  is  relatively  new,  it  has  not  yet  received 
much  scrutiny  from  the  cryptographic  community.  However,  it  is  presented  here  because 
it  is  one  of  the  few  stream  ciphers  that  was  specifically  designed  for  efficient  software  im- 
plementation and,  in  particular,  for  32-bit  processors. 

SEAL  is  a length-increasing  pseudorandom  function  which  maps  a 32-bit  sequence 
number  n to  an  L-bit  keystream  under  control  of  a 160-bit  secret  key  a.  In  the  preprocess- 
ing stage  (step  1 of  Algorithm  6.68),  the  key  is  stretched  into  larger  tables  using  the  table- 
generation  function  Ga  specified  in  Algorithm  6.67;  this  function  is  based  on  the  Secure 
Hash  Algorithm  SHA-1  (Algorithm  9.53).  Subsequent  to  this  preprocessing,  keystream 
generation  requires  about  5 machine  instructions  per  byte,  and  is  an  order  of  magnitude 
faster  than  DES  (Algorithm  7.82). 

The  following  notation  is  used  in  SEAL  for  32-bit  quantities  A , B , C,  D,  X,,  and  Yy. 

• A:  bitwise  complement  of  A 

• A A B.  AV  B.  A(BB:  bitwise  AND,  inclusive-OR,  exclusive-OR 

• “A  s 32-bit  result  of  rotating  A left  through  s positions 

• “A  ► s ”;  32-bit  result  of  rotating  A right  through  s positions 

• A + B:  mod  232  sum  of  the  unsigned  integers  A and  B 

• f(B,C,D)  = (BAC)V(BAD)-  g(B,C,D)  =f  (BAC)V(BAF)V(CAF); 
h(B,  C,  D ) d=  B®C®D 

• A\\B:  concatenation  of  A and  B 

• (Xi, . . . , Xj)<—  (Yi, . . . , Yj ):  simultaneous  assignments  (X,;t— 1§),  where 
(Yi, ...  , Yj)  is  evaluated  prior  to  any  assignments. 

6.65  Note  (SEAL  1.0  vs.  SEAL  2.0)  The  table-generation  function  (Algorithm  6.67)  for  the  first 
version  of  SEAL  (SEAL  1.0)  was  based  on  the  Secure  Hash  Algorithm  (SHA).  SEAL  2.0 
differs  from  SEAL  1.0  in  that  the  table-generation  function  for  the  former  is  based  on  the 
modified  Secure  Hash  Algorithm  SHA-1  (Algorithm  9.53). 

6.66  Note  ( tables ) The  table  generation  (step  1 of  Algorithm  6.68)  uses  the  compression  func- 
tion of  SHA-1  to  expand  the  secret  key  a into  larger  tables  T,  S,  and  R.  These  tables  can 
be  precomputed,  but  only  after  the  secret  key  a has  been  established.  Tables  T and  S are 
2K  bytes  and  IK  byte  in  size,  respectively.  The  size  of  table  R depends  on  the  desired 
bitlength  L of  the  keystream  — each  IK  byte  of  keystream  requires  16  bytes  of  R. 
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6.67  Algorithm  Table-generation  function  for  SEAL  2.0 

Ga(i) 

INPUT:  a 160-bit  string  a and  an  integer  i,  0 < i < 232. 

OUTPUT:  a 160-bit  string,  denoted  Ga(i). 

1.  Definition  of  constants.  Define  four  32-bit  constants  (in  hex):  y\  = 0x5a827999, 
r/2  = 0x6ed9ebal,  y 3 = 0x8flbbcdc,  y 4 = 0xca62cld6. 

2.  Table-generation  function. 

(initialize  80  32-bit  words  Xq,Xi,.  . . , X79) 

Set  Xo  i.  For  j from  1 to  15  do:  Xj*—  0x00000000. 

For  j from  16  to  79  do:  Xj  < — ((Xj_3®Xj_8®Xj_i4®X;_i6)  ^ 1). 

( initialize  working  variables) 

Break  up  the  160-bit  string  a into  five  32-bit  words:  a — H{)H\  H2H3H4. 

(. A , B,  C,  D,  E)  +-  (Ho,  Hi,  H2,  H3,  H4). 

(execute  four  rounds  of  20  steps,  then  update;  t is  a temporary  variable ) 

(Round  1)  For  j from  0 to  19  do  the  following: 
t <-  (( A 5)  + f(B,  C,D)  + E + Xj  + yi), 

{A,  B,  C,  D,  E)  i - (: t , A,B 30,  C,  D). 

(Round  2)  For  j from  20  to  39  do  the  following: 
t <—  ((j4  <-a  5)  + h(B , C,  D)  + E + Xj  + 7/2), 

(A,  B,  C,  D,  E)  <-  (: t , A,B e-  30,  C,  D ). 

(Round  3)  For  j from  40  to  59  do  the  following: 
t *—  ((A  *=>  5)  + g(B , C,  D)  + E + Xj  + 2/3), 

(A,  B , C,  D,  E)  (t,  A,B^  30,  C,  D). 

(Round  4)  For  j from  60  to  79  do  the  following: 
t 4—  ((^4  f—5  5)  + h(B,  C,  D)  + E + Xj  + 2/4), 

(A,  B,  C,  D,  E)  (t  A,  B ^ 30,  C,  D). 

(update  chaining  values) 

(Ho,  Hi,  ff2,  H3i  Hi)  ^ {H0  + A,  Hx  + H,  H2  +C,H3  + D,  H4  + E). 
(completion)  The  value  of  Ga(i)  is  the  160-bit  string  Hq  ||Hi  ||H2  HH3  UH4. 


6.68  Algorithm  Keystream  generator  for  SEAL  2.0 

SEAL(o,n) 

INPUT:  a 160-bit  string  a (the  secret  key),  a (non-secret)  integer  n,  0 < n < 232  (the 
sequence  number),  and  the  desired  bitlength  L of  the  keystream. 

OUTPUT:  keystream  y of  bitlength  L' , where  L'  is  the  least  multiple  of  128  which  is  > L. 

1.  Table  generation.  Generate  the  tables  T,  S,  and  R , whose  entries  are  32-bit  words. 
The  function  F used  below  is  defined  by  Fa  (zj  = jbr’mod5,  where  H^H{H)HIHI  = 
Ga ( | i / 5j ),  and  where  the  function  Ga  is  defined  in  Algorithm  6.67. 

1.1  For  i from  0 to  511  do  the  following:  T[i\^Fa(i). 

1.2  For  j from  0 to  255  do  the  following:  5 [;']•<—  Fa  (0x00001000  + j). 

1.3  For  k from  0 to  4 • \{L  — 1)/8192]  - 1 do:  R[k]^Fa (0x00002000  + k). 

2.  Initialization  procedure.  The  following  is  a description  of  the  subroutine 
Initialize^,  l,A,B,C,D,  n\,n-2,,n3,nf)  which  takes  as  input  a 32-bit  word  n 
and  an  integer  l , and  outputs  eight  32-bit  words  A , B.  C,  D,  n\,  n->,  n3,  and  n4.  This 
subroutine  is  used  in  step  4. 

A-f-n®H[4/],  B<-{n  8)®i?[4/  + 1],  C^(n  ^ 16)®i?[4(  + 2], 

D^(n  24)®i?[4(  + 3]. 
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For  j from  1 to  2 do  the  following: 

P^AA0x000007fc,  P^P  + T[P/ 4],  A^{A  ^ 9), 

P^PA0x000007fc,  CVC  + T[P/ 4],  P<— (P  '-A  9), 

P^(7A0x000007fc,  £><-£>  + T[P/4],  Ca(C  -4  9), 

P^DA0x000007fc,  A<-A  + T[P/4],  £><-(£>-+ 9). 
(n1,n2,n3,n4)<-(D,  P,  A,  C). 

P^AA0x000007fc,  P^P  + T[P/4],  c— > 9). 

P<— PA0x000007fc,  C-t-C  + T[P/4],  Pa(P  h9). 

P^C A0x000007fc,  £><-£> + T[P/4],  Ca(C->9). 

P^DA0x000007fc,  A^A  + T[P/4],  P^(P  c-+  9). 

3.  Initialize  y to  be  the  empty  string,  and  l a- 0. 

4.  Repeat  the  following: 

4.1  Execute  the  procedure  Initialize^,  l,  A,  P,  C,  D,  ri\,  n2,n3,n/i). 

4.2  For  i from  1 to  64  do  the  following: 

P^AA  0x000007fc,  B<-B  + T[P/4],  A<—(A  t— > 9),  P^P®A, 
Q^BA0x000007fc,  C<-C®T[Q/4],  B<-(B  9),  C<-C  + P, 

P^(P  + C)A0x000007fc,  £>«-£>  + T[P/4],  C<—(C  ‘-A  9),  P^PffiC, 
Qa-(Q  + P)A0x000007fc,  A«-A$T[Q/4],  D<-(C®9),  A<-A  + £>, 
P^(P  + A)A0x000007fc,  P-s— P®T[P/4],  4a(4h9), 

Qi — ( O + P) A0x000007fc,  (A — C ® P[())/4],  P< — (P  c — ^ 9), 

P^(P  + C)A0x000007fc,  P-®PffiT[P/4],  (7<— (<7  c— > 9), 

Qa-(Q  + D) A0x000007fc,  A^A  + T[Q/4],  P^(P  c— > 9), 

||  (P  + 5[4z  - 4])  ||  (<7®P[4i  - 3])  ||  (P  + S[4i  - 2])  ||  (A®S[4i  - 1]). 
If  y is  > L bits  in  length  then  return!?/)  and  stop. 

If  z is  odd,  set  ( A , C)a- (A+ni,  C+ri2).  Otherwise,  (A,  C)<—  (A+7i3,  <7+714). 

4.3  Set  li — l + 1. 


6.69  Note  ( choice  of  parameter  L)  In  most  applications  of  SEAL  2.0  it  is  expected  that  L < 
219;  larger  values  of  L are  permissible,  but  come  at  the  expense  of  a larger  table  R.  A 
preferred  method  for  generating  a longer  keystream  without  requiring  a larger  table  R is 
to  compute  the  concatenation  of  the  keystreams  SEAL(a,0),  SEAL(a,l),  SEAL(a,2),. . . . 
Since  the  sequence  number  is  n < 232,  a keystream  of  length  up  to  251  bits  can  be  obtained 
in  this  manner  with  L = 219. 


6.70  Example  (test  vectors  for  SEAL  2.0)  Suppose  the  key  a is  the  160-bit  (hexadecimal)  string 


67452301  ef cdab8 9 98badcfe  10325476  c3d2elf0, 

n = 0x013577af,  and  L = 32768  bits.  Table  R consists  of  words  P[0],  P[l], . . . , P[15]: 


5021758d  ce577cll 
2683ead8  fabe3573 
bd76b700  6fdcc20c 


f a5bd5dd 
82al0c96 
8dadal51 


366dlb93 
4 8c4  83bd 
4506dd64 


182cff72 
ca922  85c 


acO  6d7c6 
71fe84c0 


The  table  T consists  of  words  T[0],  T[l], . . . , P[511]: 

92b404e5  56588ced  6clacd4e  bf053f68  09f73a93  cd5fl76a 
b863f 14e  2b014a2f  4407e646  38665610  222d2f91  4d941a21 


3af 3a4bf  021e4080  2a677d95  405c7db0  338e4ble  19ccfl58 
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The  table  S consists  of  words  5[0],  S[l], . . . , 5[255]: 

907cle3d  ce71ef0a  48f559ef  2b7ab8bc  4557f4b8  033e9b05 
4fde0ef a Ia845f94  38512c3b  d4b44591  53765dce  469efa02 

bd7dea87  fd036d87  53aa3013  ec60e282  Ieaef8f9  0b5a0949 

The  output  y of  Algorithm  6.68  consists  of  1024  words  y[0],  j/[l], . . . , y [1023] : 

37a00595  9b84c49c  a4bele05  0673530f  0ac8389d  c5878ec8 
da6666d0  6da71328  1419bdf2  d258bebb  b6a42a4d  8a311a72 

547dfde9  668d50b5  ba9e2567  413403c5  43120b5a  ecf9d062 

The  XOR  of  the  1024  words  of  y is  0x098045 fc.  □ 


6.5  Notes  and  further  references 

§6.1 

Although  now  dated,  Rueppel  [1075]  provides  a solid  introduction  to  the  analysis  and 
design  of  stream  ciphers.  For  an  updated  and  more  comprehensive  survey,  see  Rueppel 
[1081],  Another  recommended  survey  is  that  of  Robshaw  [1063], 

The  concept  of  unconditional  security  was  introduced  in  the  seminal  paper  by  Shannon 
[1120].  Maurer  [819]  surveys  the  role  of  information  theory  in  cryptography  and,  in  partic- 
ular, secrecy,  authentication,  and  secret  sharing  schemes.  Maurer  [811]  devised  a random- 
ized stream  cipher  that  is  unconditionally  secure  “with  high  probability”.  More  precisely, 
an  adversary  is  unable  to  obtain  any  information  whatsoever  about  the  plaintext  with  prob- 
ability arbitrarily  close  to  1,  unless  the  adversary  can  perform  an  infeasible  computation. 
The  cipher  utilizes  a publicly-accessible  source  of  random  bits  whose  length  is  much  greater 
than  that  of  all  the  plaintext  to  be  encrypted,  and  can  conceivably  be  made  practical.  Mau- 
rer’s cipher  is  based  on  the  impractical  Rip  van  Winkle  cipher  of  Massey  and  Ingermarsson 
[789],  which  is  described  by  Rueppel  [1081]. 

One  technique  for  solving  the  re-synchronization  problem  with  synchronous  stream  ciphers 
is  to  have  the  receiver  send  a resynchronization  request  to  the  sender,  whereby  a new  inter- 
nal state  is  computed  as  a (public)  function  of  the  original  internal  state  (or  key)  and  some 
public  information  (such  as  the  time  at  the  moment  of  the  request).  Daemen,  Govaerts, 
and  Vandewalle  [291]  showed  that  this  approach  can  result  in  a total  loss  of  security  for 
some  published  stream  cipher  proposals.  Proctor  [1011]  considered  the  trade-off  between 
the  security  and  error  propagation  problems  that  arise  by  varying  the  number  of  feedback 
ciphertext  digits.  Maurer  [808]  presented  various  design  approaches  for  self-synchronizing 
stream  ciphers  that  are  potentially  superior  to  designs  based  on  block  ciphers,  both  with  re- 
spect to  encryption  speed  and  security. 

§6.2 

An  excellent  introduction  to  the  theory  of  both  linear  and  nonlinear  shift  registers  is  the  book 
by  Golomb  [498];  see  also  Selmer  [1107],  Chapters  5 and  6 of  Beker  and  Piper  [84],  and 
Chapter  8 of  Lidl  and  Niederreiter  [764] . A lucid  treatment  of  m-sequences  can  be  found  in 
Chapter  10  of  McEliece  [830].  While  the  discussion  in  this  chapter  has  been  restricted  to  se- 
quences and  feedback  shift  registers  over  the  binary  field  Z2,  many  of  the  results  presented 
can  be  generalized  to  sequences  and  feedback  shift  registers  over  any  finite  field  ¥q. 
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The  results  on  the  expected  linear  complexity  and  linear  complexity  profile  of  random  se- 
quences (Facts  6.21,  6.22,  6.24,  and  6.25)  are  from  Chapter  4 of  Rueppel  [1075];  they  also 
appear  in  Rueppel  [1077].  Dai  and  Yang  [294]  extended  Fact  6.22  and  obtained  bounds 
for  the  expected  linear  complexity  of  an  /(-periodic  sequence  for  each  possible  value  of  n. 
The  bounds  imply  that  the  expected  linear  complexity  of  a random  periodic  sequence  is 
close  to  the  period  of  the  sequence.  The  linear  complexity  profile  of  the  sequence  defined 
in  Example  6.27  was  established  by  Dai  [293].  For  further  theoretical  analysis  of  the  linear 
complexity  profile,  consult  the  work  of  Niederreiter  [927,  928,  929,  930]. 

Facts  6.29  and  6.34  are  due  to  Massey  [784].  The  Berlekamp-Massey  algorithm  (Algo- 
rithm 6.30)  is  due  to  Massey  [784],  and  is  based  on  an  earlier  algorithm  of  Berlekamp  [118] 
for  decoding  BCH  codes.  While  the  algorithm  in  §6.2.3  is  only  described  for  binary  se- 
quences, it  can  be  generalized  to  find  the  linear  complexity  of  sequences  over  any  field. 
Further  discussion  and  refinements  of  the  Berlekamp-Massey  algorithm  are  given  by  Blahut 
[144].  There  are  numerous  other  algorithms  for  computing  the  linear  complexity  of  a se- 
quence. For  example.  Games  and  Chan  [439]  and  Robshaw  [1062]  present  efficient  algo- 
rithms for  determining  the  linear  complexity  of  binary  sequences  of  period  2";  these  algo- 
rithms have  limited  practical  use  since  they  require  an  entire  cycle  of  the  sequence. 

Jansen  and  Boekee  [632]  defined  the  maximum  order  complexity  of  a sequence  to  be  the 
length  of  the  shortest  (not  necessarily  linear)  feedback  shift  register  (FSR)  that  can  gener- 
ate the  sequence.  The  expected  maximum  order  complexity  of  a random  binary  sequence 
of  length  n is  approximately  2 lg  n.  An  efficient  linear-time  algorithm  for  computing  this 
complexity  measure  was  also  presented;  see  also  Jansen  and  Boekee  [631]. 

Another  complexity  measure,  the  Ziv-Lempel  complexity  measure,  was  proposed  by  Ziv  and 
Lempel  [1273].  This  measure  quantifies  the  rate  at  which  new  patterns  appear  in  a sequence. 
Mund  [912]  used  a heuristic  argument  to  derive  the  expected  Ziv-Lempel  complexity  of  a 
random  binary  sequence  of  a given  length.  For  a detailed  study  of  the  relative  strengths 
and  weaknesses  of  the  linear,  maximum  order,  and  Ziv-Lempel  complexity  measures,  see 
Erdmann  [372], 

Kolmogorov  [704]  and  Chaitin  [236]  introduced  the  notion  of  so-called  Turing-Kolmogorov 
-Chaitin  complexity,  which  measures  the  minimum  size  of  the  input  to  a fixed  universal 
Turing  machine  which  can  generate  a given  sequence;  see  also  Martin-Lof  [783] . While  this 
complexity  measure  is  of  theoretical  interest,  there  is  no  algorithm  known  for  computing  it 
and,  hence,  it  has  no  apparent  practical  significance.  Beth  and  Dai  [124]  have  shown  that 
the  Turing-Kolmogorov-Chaitin  complexity  is  approximately  twice  the  linear  complexity 
for  most  sequences  of  sufficient  length. 

Lact  6.39  is  due  to  Golomb  and  Welch,  and  appears  in  the  book  of  Golomb  [498,  p.  1 15]. 
Lai  [725]  showed  that  Lact  6.39  is  only  true  for  the  binary  case,  and  established  necessary 
and  sufficient  conditions  for  an  LSR  over  a general  finite  field  to  be  nonsingular. 

Klapper  and  Goresky  [677]  introduced  a new  type  of  feedback  register  called  a feedback 
with  carry  shift  register  (LCSR),  which  is  equipped  with  auxiliary  memory  for  storing  the 
(integer)  carry.  An  LCSR  is  similar  to  an  LLSR  (see  Ligure  6.4),  except  that  the  contents 
of  the  tapped  stages  of  the  shift  register  are  added  as  integers  to  the  current  content  of  the 
memory  to  form  a sum  S.  The  least  significant  bit  of  S (i.e.,  S mod  2)  is  then  fed  back 
into  the  first  (leftmost)  stage  of  the  shift  register,  while  the  remaining  higher  order  bits  (i.e., 
[S'/2J)  are  retained  as  the  new  value  of  the  memory.  If  the  LCSR  has  L stages,  then  the 
space  required  for  the  auxiliary  memory  is  at  most  lg  L bits.  LCSRs  can  be  conveniently 
analyzed  using  the  algebra  over  the  2-adic  numbers  just  as  the  algebra  over  finite  fields  is 
used  to  analyze  LLSRs. 
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Any  periodic  binary  sequence  can  be  generated  by  a FCSR.  The  2-adic  span  of  a periodic 
sequence  is  the  number  of  stages  and  memory  bits  in  the  smallest  FCSR  that  generates  the 
sequence.  Let  s be  a periodic  sequence  having  a 2-adic  span  of  T ; note  that  T is  no  more 
than  the  period  of  s.  Klapper  and  Goresky  [678]  presented  an  efficient  algorithm  for  finding 
an  FCSR  of  length  T which  generates  s,  given  2 T + 2 [lg  T]  + 4 of  the  initial  bits  of  s.  A 
comprehensive  treatment  of  FCSRs  and  the  2-adic  span  is  given  by  Klapper  and  Goresky 
[676], 

Notes  6.46  and  6.47  on  the  selection  of  connection  polynomials  were  essentially  first  point- 
ed out  by  Meier  and  Staffelbach  [834]  and  Chepyzhov  and  Smeets  [256]  in  relation  to 
fast  correlation  attacks  on  regularly  clocked  LFSRs.  Similar  observations  were  made  by 
Coppersmith,  Krawczyk,  and  Mansour  [279]  in  connection  with  the  shrinking  generator. 
More  generally,  to  withstand  sophisticated  correlation  attacks  (e.g.,  see  Meier  and  Staffel- 
bach [834]),  the  connection  polynomials  should  not  have  low-weight  polynomial  multiples 
whose  degrees  are  not  sufficiently  large. 

Klapper  [675]  provides  examples  of  binary  sequences  having  high  linear  complexity,  but 
whose  linear  complexity  is  low  when  considered  as  sequences  (whose  elements  happen  to 
be  only  0 or  1)  over  a larger  finite  field.  This  demonstrates  that  high  linear  complexity  (over 
Z2)  by  itself  is  inadequate  for  security.  Fact  6.49  was  proven  by  Rueppel  and  Staffelbach 
[1085]. 

The  Geffe  generator  (Example  6.50)  was  proposed  by  Geffe  [446],  The  Pless  generator 
(Arrangement  D of  [978])  was  another  early  proposal  for  a nonlinear  combination  genera- 
tor, and  uses  four  J-K  flip-flops  to  combine  the  output  of  eight  LFSRs.  This  generator  also 
succumbs  to  a divide-and-conquer  attack,  as  was  demonstrated  by  Rubin  [1074]. 

The  linear  syndrome  attack  of  Zeng,  Yang,  and  Rao  [1265]  is  a known-plaintext  attack  on 
keystream  generators,  and  is  based  on  earlier  work  of  Zeng  and  Huang  [1263].  It  is  effective 
when  the  known  keystream  B can  be  written  in  the  form  B = A 0 X,  where  A is  the  output 
sequence  of  an  LFSR  with  known  connection  polynomial,  and  the  sequence  X is  unknown 
but  sparse  in  the  sense  that  it  contains  more  0’s  than  l’s.  If  the  connection  polynomials  of 
the  Geffe  generator  are  all  known  to  an  adversary,  and  are  primitive  trinomials  of  degrees 
not  exceeding  n,  then  the  initial  states  of  the  three  component  LFSRs  (i.e.,  the  secret  key) 
can  be  efficiently  recovered  from  a known  keystream  segment  of  length  37 n bits. 

The  correlation  attack  (Note  6.51)  on  nonlinear  combination  generators  was  first  devel- 
oped by  Siegenthaler  [1133],  and  estimates  were  given  for  the  length  of  the  observed 
keystream  required  for  the  attack  to  succeed  with  high  probability.  The  importance  of 
correlation  immunity  to  nonlinear  combining  functions  was  pointed  out  by  Siegenthaler 
[1132],  who  showed  the  tradeoff  between  high  correlation  immunity  and  high  nonlinear  or- 
der (Fact  6.53).  Meier  and  Staffelbach  [834]  presented  two  new  so-called  fast  correlation 
attacks  which  are  more  efficient  than  Siegenthaler’s  attack  in  the  case  where  the  component 
LFSRs  have  sparse  feedback  polynomials,  or  if  they  have  low-weight  polynomial  multiples 
(e.g.,  each  having  fewer  than  10  non-zero  terms)  of  not  too  large  a degree.  Further  exten- 
sions and  refinements  of  correlation  attacks  can  be  found  in  the  papers  of  Mihaljevic  and 
Golic  [874],  Chepyzhov  and  Smeets  [256],  Golic  and  Mihaljevic  [491],  Mihaljevic  and  J. 
Golic  [875],  Mihaljevic  [873],  Clark,  Golic,  and  Dawson  [262],  and  Penzhorn  and  Kuhn 
[967].  A comprehensive  survey  of  correlation  attacks  on  LFSR-based  stream  ciphers  is  the 
paper  by  Golic  [486];  the  cases  where  the  combining  function  is  memoryless  or  with  mem- 
ory, as  well  as  when  the  LFSRs  are  clocked  regularly  or  irregularly,  are  all  considered. 

The  summation  generator  (Example  6.54)  was  proposed  by  Rueppel  [1075,  1076].  Meier 
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and  Staffelbach  [837]  presented  correlation  attacks  on  combination  generators  having  mem- 
ory, cracked  the  summation  generator  having  only  two  component  LFSRs,  and  as  a result 
recommended  using  several  LFSRs  of  moderate  lengths  rather  than  just  a few  long  LFSRs 
in  the  summation  generator.  As  an  example,  if  a summation  generator  employs  two  LF- 
SRs each  having  length  approximately  200,  and  if  50  000  keystream  bits  are  known,  then 
Meier  and  Staffelbach's  attack  is  expected  to  take  less  than  700  trials,  where  the  dominant 
step  in  each  trial  involves  solving  a 400  x 400  system  of  binary  linear  equations.  Dawson 
[312]  presented  another  known-plaintext  attack  on  summation  generators  having  two  com- 
ponent LFSRs,  which  requires  fewer  known  keystream  bits  than  Meier  and  Staffelbach's 
attack.  Dawson’s  attack  is  only  faster  than  that  of  Meier  and  Staffelbach  in  the  case  where 
both  LFSRs  are  relatively  short.  Recently,  Klapper  and  Goresky  [678]  showed  that  the  sum- 
mation generator  has  comparatively  low  2-adic  span  (see  page  218).  More  precisely,  if  a 
and  b are  two  sequences  of  2-adic  span  A2  (a)  and  A 9 (b),  respectively,  and  if  s is  the  re- 
sult of  combining  them  with  the  summation  generator,  then  the  2-adic  span  of  s is  at  most 
A2  (a)  + A2  ( b ) + 2 pg(A2  (a))]  +2  [lg(A2  (6))]  + 6.  For  example,  if  771-sequences  of  period 
2l  — 1 for  L = 7, 11, 13, 15, 16, 17  are  combined  with  the  summation  generator,  then  the 
resulting  sequence  has  linear  complexity  nearly  2'9,  but  the  2-adic  span  is  less  than  218. 
Hence,  the  summation  generator  is  vulnerable  to  a known-plaintext  attack  when  the  com- 
ponent LFSRs  are  all  relatively  short. 

The  probability  distribution  of  the  carry  for  addition  of  n random  integers  was  analyzed  by 
Staffelbach  and  Meier  [ 1167] . It  was  proven  that  the  carry  is  balanced  for  even  n and  biased 
for  odd  n.  For  n = 3 the  carry  is  strongly  biased,  however,  the  bias  converges  to  0 as  n tends 
to  00.  Golic  [485]  pointed  out  the  importance  of  the  correlation  between  linear  functions  of 
the  output  and  input  in  general  combiners  with  memory,  and  introduced  the  so-called  linear 
sequential  circuit  approximation  method  for  finding  such  functions  that  produce  correlated 
sequences.  Golic  [488]  used  this  as  a basis  for  developing  a linear  cryptanalysis  technique 
for  stream  ciphers,  and  in  the  same  paper  proposed  a stream  cipher  called  GOAL,  incorpo- 
rating principles  of  modified  truncated  linear  congruential  generators  (see  page  187),  self- 
clock-control,  and  randomly  generated  combiners  with  memory. 

Fact  6.55(i)  is  due  to  Key  [670],  while  Fact  6.55(h)  was  proven  by  Rueppel  [1075].  Massey 
and  Serconek  [794]  gave  an  alternate  proof  of  Key’s  bound  that  is  based  on  the  Discrete 
Fourier  Transform.  Siegenthaler  [1134]  described  a correlation  attack  on  nonlinear  filter 
generators.  Forre  [418]  has  applied  fast  correlation  attacks  to  such  generators.  Anderson 
[29]  demonstrated  other  correlations  which  may  be  useful  in  improving  the  success  of  cor- 
relation attacks.  An  attack  called  the  inversion  attack,  proposed  by  Golic  [490],  may  be 
more  effective  than  Anderson’s  attack.  Golic  also  provides  a list  of  design  criteria  for  non- 
linear filter  generators.  Ding  [349]  introduced  the  notion  of  differential  cryptanalysis  for 
nonlinear  filter  generators  where  the  LFSR  is  replaced  by  a simple  counter  having  arbitrary 
period. 

The  linear  consistency  attack  of  Zeng,  Yang,  and  Rao  [1264]  is  a known-plaintext  attack 
on  keystream  generators  which  can  discover  key  redundancies  in  various  generators.  It  is 
effective  in  situations  where  it  is  possible  to  single  out  a certain  portion  ki  of  the  secret  key 
k,  and  form  a linear  system  of  equations  Ax  = b where  the  matrix  A is  determined  by  Aq, 
and  b is  determined  from  the  known  keystream.  The  system  of  equations  should  have  the 
property  that  it  is  consistent  (and  with  high  probability  has  a unique  solution)  if  Aq  is  the 
true  value  of  the  subkey,  while  it  is  inconsistent  with  high  probability  otherwise.  In  these 
circumstances,  one  can  mount  an  exhaustive  search  for  Aq,  and  subsequently  mount  a sepa- 
rate attack  for  the  remaining  bits  of  k.  If  the  bitlengths  of  Aq  and  k are  / j and  l,  respectively, 
the  attack  demonstrates  that  the  security  level  of  the  generator  is  2Ll  + 21  ll,  rather  than  2l. 
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The  multiplexer  generator  was  proposed  by  Jennings  [637] . Two  maximum-length  LFSRs 
having  lengths  L\,  L-2  that  are  relatively  prime  are  employed.  Let  h be  a positive  integer 
satisfying  h < min(Li,  lg  L2).  After  each  clock  cycle,  the  contents  of  a fixed  subset  of  h 
stages  of  the  first  LFSR  are  selected,  and  converted  to  an  integer  t in  the  interval  [0,  L->  — 1] 
using  a 1 — 1 mapping  9.  Finally,  the  content  of  stage  t of  the  second  LFSR  is  output  as 
part  of  the  keystream.  Assuming  that  the  connection  polynomials  of  the  LFSRs  are  known, 
the  linear  consistency  attack  provides  a known-plaintext  attack  on  the  multiplexer  gener- 
ator requiring  a known  keystream  sequence  of  length  N > Li  + L->2h  and  2L'+h  linear 
consistency  tests.  This  demonstrates  that  the  choice  of  the  mapping  9 and  the  second  LFSR 
do  not  contribute  significantly  to  the  security  of  the  generator. 

The  linear  consistency  attack  has  also  been  considered  by  Zeng,  Yang,  and  Rao  [1264]  for 
the  multispeed  inner-product  generator  of  Massey  and  Rueppel  [793].  In  this  generator, 
two  LFSRs  of  lengths  L\  and  L>  are  clocked  at  different  rates,  and  their  contents  combined 
at  the  lower  clock  rate  by  taking  the  inner-product  of  the  min(Li,  L-> ) stages  of  the  two 
LFSRs.  The  paper  by  Zeng  et  al.  [1266]  is  a readable  survey  describing  the  effectiveness 
of  the  linear  consistency  and  linear  syndrome  attacks  in  cryptanalyzing  stream  ciphers. 

The  knapsack  generator  (Example  6.56)  was  proposed  by  Rueppel  and  Massey  [1084]  and 
extensively  analyzed  by  Rueppel  [1075],  however,  no  concrete  suggestions  on  selecting  ap- 
propriate parameters  (the  length  L of  the  LFSR  and  the  knapsack  weights)  for  the  generator 
were  given.  No  weaknesses  of  the  knapsack  generator  have  been  reported  in  the  literature. 

The  idea  of  using  the  output  of  a register  to  control  the  stepping  of  another  register  was  used 
in  several  rotor  machines  during  the  second  world  war,  for  example,  the  German  Lorenz 
SZ40  cipher.  A description  of  this  cipher,  and  also  an  extensive  survey  of  clock-controlled 
shift  registers,  is  provided  by  Gollmann  and  Chambers  [496]. 

The  alternating  step  generator  (Algorithm  6.57)  was  proposed  in  1987  by  Gunther  [528], 
who  also  proved  Fact  6.59  and  described  the  divide-and-conquer  attack  mentioned  in 
Note  6.60.  The  alternating  step  generator  is  based  on  the  stop-and-go  generator  of  Beth 
and  Piper  [126].  In  the  stop-and-go  generator,  a control  register  i?i  is  used  to  control  the 
stepping  of  another  register  R->  as  follows.  If  the  output  of  R-y  is  1,  then  R->  is  clocked;  if 
the  output  of  i?i  is  0,  then  R>  is  not  clocked,  however,  its  previous  output  is  repeated.  The 
output  of  i?2  is  then  XORed  with  the  output  sequence  of  a third  register  R$  which  is  clocked 
at  the  same  rate  as  Ry.  Beth  and  Piper  showed  how  a judicious  choice  of  registers  Ry,  R-> , 
and  i?3  can  guarantee  that  the  output  sequence  has  high  linear  complexity  and  period,  and 
good  statistical  properties.  Unfortunately,  the  generator  succumbs  to  the  linear  syndrome 
attack  of  Zeng,  Yang,  and  Rao  [1265]  (see  also  page  218):  if  the  connection  polynomials  of 
Ry  and  R->  are  primitive  trinomials  of  degree  not  exceeding  n,  and  known  to  the  adversary, 
then  the  initial  states  of  the  three  component  LFSRs  (i.e.,  the  secret  key)  can  be  efficiently 
recovered  from  a known-plaintext  segment  of  length  37n  bits. 

Another  variant  of  the  stop-and-go  generator  is  the  step-l/step-2  generator  due  to  Gollmann 
and  Chambers  [496].  This  generator  uses  two  maximum-length  registers  i?i  and  R > of  the 
same  length.  Register  R\  is  used  to  control  the  stepping  of  R2  as  follows.  If  the  output  of 
Ri  is  0,  then  R->  is  clocked  once;  if  the  output  of  i?i  is  1,  then  R->  is  clocked  twice  before 
producing  the  next  output  bit.  Zivkovic  [1274]  proposed  an  embedding  correlation  attack 
on  R2  whose  complexity  of  ()(2L- ),  where  L->  is  the  length  of  R->- 

A cyclic  register  of  length  L is  an  LFSR  with  feedback  polynomial  C(D)  = 1 + DL . Goll- 
mann [494]  proposed  cascading  n cyclic  registers  of  the  same  prime  length  p by  arranging 
them  serially  in  such  a way  that  all  except  the  first  register  are  clock-controlled  by  their  pre- 
decessors; the  Gollmann  p-cycle  cascade  can  be  viewed  as  an  extension  of  the  stop-and-go 
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generator  (page  220).  The  first  register  is  clocked  regularly,  and  its  output  bit  is  the  input 
bit  to  the  second  register.  In  general,  if  the  input  bit  to  the  ith  register  (for  i > 2)  at  time 
t is  at,  then  the  ith  register  is  clocked  if  at  — 1;  if  at  = 0,  the  register  is  not  clocked  but 
its  previous  output  bit  is  repeated.  The  output  bit  of  the  ith  register  is  then  XORed  with  at, 
and  the  result  becomes  the  input  bit  to  the  ( i + l)st  register.  The  output  of  the  last  register  is 
the  output  of  the  p-cycle  cascade.  The  initial  (secret)  stage  of  a component  cyclic  register 
should  not  be  the  all-O’s  vector  or  the  all-l’s  vector.  Gollmann  proved  that  the  period  of  the 
output  sequence  is  pn.  Moreover,  if  p is  a prime  such  that  2 is  a generator  of  Z*,  then  the 
output  sequence  has  linear  complexity  pn.  This  suggests  very  strongly  using  long  cascades 
(i.e.,  n large)  of  shorter  registers  rather  than  short  cascades  of  longer  registers.  A variant  of 
the  Gollmann  cascade,  called  an  m-sequence  cascade,  has  the  cyclic  registers  replaced  by 
maximum-length  LFSRs  of  the  same  length  L.  Chambers  [237]  showed  that  the  output  se- 
quence of  such  an  m-sequence  cascade  has  period  ( 2L  — 1)"  and  linear  complexity  at  least 
L(2l  — 1)"  L.  Park,  Lee,  and  Goh  [964]  extended  earlier  work  of  Menicocci  [845]  and  re- 
ported breaking  9-stage  m-sequence  cascades  where  each  LFSR  has  length  100;  they  also 
suggested  that  10-stage  m-sequence  cascades  may  be  insecure.  Chambers  and  Gollmann 
[239]  studied  an  attack  on  p-cycle  and  m-sequence  cascades  called  lock-in,  which  results 
in  a reduction  in  the  effective  key  space  of  the  cascades. 

The  shrinking  generator  (Algorithm  6.61)  was  proposed  in  1993  by  Coppersmith, 
Krawczyk,  and  Mansour  [279],  who  also  proved  Fact  6.63  and  described  the  attacks  men- 
tioned in  Note  6.64.  The  irregular  output  rate  of  the  shrinking  generator  can  be  overcome  by 
using  a short  buffer  for  the  output;  the  influence  of  such  a buffer  is  analyzed  by  Kessler  and 
Krawczyk  [669].  Krawczyk  [716]  mentions  some  techniques  for  improving  software  im- 
plementations. A throughput  of  2.5  Mbits/sec  is  reported  for  a C language  implementation 
on  a 33MHz  IBM  workstation,  when  the  two  shift  registers  each  have  lengths  in  the  range 
61-64  bits  and  secret  connections  are  employed.  The  security  of  the  shrinking  generator  is 
studied  further  by  Golic  [487]. 

A key  generator  related  to  the  shrinking  generator  is  the  self-shrinking  generator  (SSG)  of 
Meier  and  Staffelbach  [838].  The  self-shrinking  generator  uses  only  one  maximum-length 
LFSR  R.  The  output  sequence  of  R is  partitioned  into  pairs  of  bits.  The  SSG  outputs  a 
0 if  a pair  is  10,  and  outputs  a 1 if  a pair  is  11;  01  and  00  pairs  are  discarded.  Meier  and 
Staffelbach  proved  that  the  self-shrinking  generator  can  be  implemented  as  a shrinking  gen- 
erator. Moreover,  the  shrinking  generator  can  be  implemented  as  a self-shrinking  genera- 
tor (whose  component  LFSR  is  not  maximum-length).  More  precisely,  if  the  component 
LFSRs  of  a shrinking  generator  have  connection  polynomials  Ci(D)  and  CL  (D),  its  out- 
put sequence  can  be  produced  by  a self-shrinking  generator  with  connection  polynomial 
C(D)  — C±(D)2  • CCfG)'2.  Meier  and  Staffelbach  also  proved  that  if  the  length  of  R is  L, 
then  the  period  and  linear  complexity  of  the  output  sequence  of  the  SSG  are  at  least  2'-L/'2- 
and  ‘fL71-  \ respectively.  Moreover,  they  provided  strong  evidence  that  this  period  and 
linear  complexity  is  in  fact  about  2 7 1 . Assuming  a randomly  chosen,  but  known,  connec- 
tion polynomial,  the  best  attack  presented  by  Meier  and  Staffelbach  on  the  SSG  takes  2°-79L 
steps.  More  recently,  Mihaljevic  [871]  presented  a significantly  faster  probabilistic  attack 
on  the  SSG.  For  example,  if  L = 100,  then  the  new  attack  takes  257  steps  and  requires  a 
portion  of  the  output  sequence  of  length  4.9  x 108.  The  attack  does  not  have  an  impact  on 
the  security  of  the  shrinking  generator. 

A recent  survey  of  techniques  for  attacking  clock-controlled  generators  is  given  by  Goll- 
mann [495].  For  some  newer  attack  techniques,  see  Mihaljevic  [872],  Golic  and  O’Connor 
[492],  and  Golic  [489].  Chambers  [238]  proposed  a clock-controlled  cascade  composed  of 
LFSRs  each  of  length  32.  Each  32-bit  portion  of  the  output  sequence  of  a component  LFSR 
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is  passed  through  an  invertible  scrambler  box  ( S-box ),  and  the  resulting  32-bit  sequence  is 
used  to  control  the  clock  of  the  next  LFSR.  Baum  and  Blackburn  [77]  generalized  the  notion 
of  a clock-controlled  shift  register  to  that  of  a register  based  on  a finite  group. 

SEAL  (Algorithm  6.68)  was  designed  and  patented  by  Coppersmith  and  Rogaway  [281]. 
Rogaway  and  Coppersmith  [1066]  report  an  encryption  speed  of  7.2  Mbytes/sec  for  an  as- 
sembly language  implementation  on  a 50  MHz  486  processor  with  L = 4096  bits,  assuming 
precomputed  tables  (cf.  Note  6.66). 

Although  the  stream  cipher  RC4  remains  proprietary,  alleged  descriptions  have  been  pub- 
lished which  are  output  compatible  with  certified  implementations  of  RC4;  for  example,  see 
Schneier  [1094].  Blocher  and  Dichtl  [156]  proposed  a fast  software  stream  cipher  called 
FISH  (Fibonacci  Shrinking  generator),  which  is  based  on  the  shrinking  generator  principle 
applied  to  the  lagged  Fibonacci  generator  (also  known  as  the  additive  generator)  of  Knuth 
[692,  p.27] . Anderson  [28]  subsequently  presented  a known-plaintext  attack  on  FISH  which 
requires  a few  thousand  32-bit  words  of  known  plaintext  and  a work  factor  of  about  240 
computations.  Anderson  also  proposed  a fast  software  stream  cipher  called  PIKE  based  on 
the  Fibonacci  generator  and  the  stream  cipher  A5;  a description  of  A5  is  given  by  Anderson 
[28], 

Wolfram  [1251, 1252]  proposed  a stream  cipher  based  on  one-dimensional  cellular  automa- 
ta with  nonlinear  feedback.  Meier  and  Staffelbach  [835]  presented  a known-plaintext  attack 
on  this  cipher  which  demonstrated  that  key  lengths  of  127  bits  suggested  by  Wolfram  [1252] 
are  insecure;  Meier  and  Staffelbach  recommend  key  sizes  of  about  1000  bits. 

Klapperand  Goresky  [679]  presented  constructions  forFCSRs  (see  page  2 17)  whose  output 
sequences  have  nearly  maximal  period,  are  balanced,  and  are  nearly  de  Bruijn  sequences  in 
the  sense  that  for  any  fixed  non-negative  integer  t,  the  number  of  occurrences  of  any  two 
Gbit  sequences  as  subsequences  of  a period  differs  by  at  most  2.  Such  FCSRs  are  good 
candidates  for  usage  in  the  construction  of  secure  stream  ciphers,  just  as  maximum-length 
LFSRs  were  used  in  §6.3.  Goresky  and  Klapper  [518]  introduced  a generalization  of  FCSRs 
called  ("/-FCSRs,  based  on  ramified  extensions  of  the  2-adic  numbers  (d  is  the  ramification). 
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7.1  Introduction  and  overview 

Symmetric-key  block  ciphers  are  the  most  prominent  and  important  elements  in  many  cryp- 
tographic systems.  Individually,  they  provide  confidentiality.  As  a fundamental  building 
block,  their  versatility  allows  construction  of  pseudorandom  number  generators,  stream  ci- 
phers, MACs,  and  hash  functions.  They  may  furthermore  serve  as  a central  component  in 
message  authentication  techniques,  data  integrity  mechanisms,  entity  authentication  proto- 
cols, and  ( symmetric-key)  digital  signature  schemes.  This  chapter  examines  symmetric-key 
block  ciphers,  including  both  general  concepts  and  details  of  specific  algorithms.  Public- 
key  block  ciphers  are  discussed  in  Chapter  8. 

No  block  cipher  is  ideally  suited  for  all  applications,  even  one  offering  a high  level  of 
security.  This  is  a result  of  inevitable  tradeoffs  required  in  practical  applications,  including 
those  arising  from,  for  example,  speed  requirements  and  memory  limitations  (e.g.,  code 
size,  data  size,  cache  memory),  constraints  imposed  by  implementation  platforms  (e.g., 
hardware,  software,  chipcards),  and  differing  tolerances  of  applications  to  properties  of  var- 
ious modes  of  operation.  In  addition,  efficiency  must  typically  be  traded  off  against  security. 
Thus  it  is  beneficial  to  have  a number  of  candidate  ciphers  from  which  to  draw. 

Of  the  many  block  ciphers  currently  available,  focus  in  this  chapter  is  given  to  a sub- 
set of  high  profile  and/or  well-studied  algorithms.  While  not  guaranteed  to  be  more  secure 
than  other  published  candidate  ciphers  (indeed,  this  status  changes  as  new  attacks  become 
known),  emphasis  is  given  to  those  of  greatest  practical  interest.  Among  these,  DES  is 
paramount;  FEAL  has  received  both  serious  commercial  backing  and  a large  amount  of  in- 
dependent cryptographic  analysis;  and  IDEA  (originally  proposed  as  a DES  replacement)  is 
widely  known  and  highly  regarded.  Other  recently  proposed  ciphers  of  both  high  promise 
and  high  profile  (in  part  due  to  the  reputation  of  their  designers)  are  SAFER  and  RC5.  Ad- 
ditional ciphers  are  presented  in  less  detail. 
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Chapter  outline 

Basic  background  on  block  ciphers  and  algorithm-independent  concepts  are  presented  in 
§7.2,  including  modes  of  operation,  multiple  encryption,  and  exhaustive  search  techniques. 
Classical  ciphers  and  cryptanalysis  thereof  are  addressed  in  §7.3,  including  historical  details 
on  cipher  machines.  Modern  block  ciphers  covered  in  chronological  order  are  DES  (§7.4), 
FEAL  (§7.5),  and  IDEA  (§7.6),  followed  by  SAFER,  RC5,  and  other  ciphers  in  §7.7,  col- 
lectively illustrating  a wide  range  of  modern  block  cipher  design  approaches.  Further  notes, 
including  details  on  additional  ciphers  (e.g.,  Lucifer)  and  references  for  the  chapter,  may  be 
found  in  §7.8. 


7.2  Background  and  general  concepts 

Introductory  material  on  block  ciphers  is  followed  by  subsections  addressing  modes  of  op- 
eration, and  discussion  of  exhaustive  key  search  attacks  and  multiple  encryption. 


7.2.1  Introduction  to  block  ciphers 

Block  ciphers  can  be  either  symmetric-key  or  public-key.  The  main  focus  of  this  chapter  is 
symmetric-key  block  ciphers;  public-key  encryption  is  addressed  in  Chapter  8. 

(i)  Block  cipher  definitions 

A block  cipher  is  a function  (see  §1.3.1)  which  maps  n-bit  plaintext  blocks  to  n-bit  cipher- 
text  blocks;  n is  called  the  blocklength.  It  may  be  viewed  as  a simple  substitution  cipher 
with  large  character  size.  The  function  is  parameterized  by  a k- bit  key  K,1  taking  values 
from  a subset  K.  (the  key  space)  of  the  set  of  all  fc-bit  vectors  V;,: . It  is  generally  assumed 
that  the  key  is  chosen  at  random.  Use  of  plaintext  and  ciphertext  blocks  of  equal  size  avoids 
data  expansion. 

To  allow  unique  decryption,  the  encryption  function  must  be  one-to-one  (i.e.,  invert- 
ible). For  n-bit  plaintext  and  ciphertext  blocks  and  a fixed  key,  the  encryption  function  is 
a bijection,  defining  a permutation  on  n-bit  vectors.  Each  key  potentially  defines  a differ- 
ent bijection.  The  number  of  keys  is  \K\,  and  the  effective  key  size  is  lg  jA3j;  this  equals  the 
key  length  if  all  fc-bit  vectors  are  valid  keys  (1C  = 14).  If  keys  are  equiprobable  and  each 
defines  a different  bijection,  the  entropy  of  the  key  space  is  also  lg  \)C\. 

7.1  Definition  An  77,-bit  block  cipher  is  a function  E : Vn  x K.  — > Vn,  such  that  for  each 
key  K g /C,  E(P,  K)  is  an  invertible  mapping  (the  encryption  function  for  K)  from  Vn 
to  Vn,  written  Ek{P),  The  inverse  mapping  is  the  decryption  function,  denoted  Dk(C). 
C = Ek(P)  denotes  that  ciphertext  C results  from  encrypting  plaintext  P under  K . 

Whereas  block  ciphers  generally  process  plaintext  in  relatively  large  blocks  (e.g.,  n > 
64),  stream  ciphers  typically  process  smaller  units  (see  Note  6.1);  the  distinction,  however, 
is  not  definitive  (see  Remark  7.25).  For  plaintext  messages  exceeding  one  block  in  length, 
various  modes  of  operation  for  block  ciphers  are  used  (see  §7.2.2). 

The  most  general  block  cipher  implements  every  possible  substitution,  as  per  Defini- 
tion 7.2.  To  represent  the  key  of  such  an  n-bit  (true)  random  block  cipher  would  require 

1This  use  of  symbols  k and  K may  differ  from  other  chapters. 
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lg(2"!)  pa  (n  — 1.44)2"  bits,  or  roughly  2"  times  the  number  of  bits  in  a message  block. 
This  excessive  bitsize  makes  (true)  random  ciphers  impractical.  Nonetheless,  it  is  an  ac- 
cepted design  principle  that  the  encryption  function  corresponding  to  a randomly  selected 
key  should  appear  to  be  a randomly  chosen  invertible  function. 

7.2  Definition  A (true)  random  cipher  is  an  ?r-bit  block  cipher  implementing  all  2"!  bijections 
on  2"  elements.  Each  of  the  2"!  keys  specifies  one  such  permutation. 

A block  cipher  whose  block  size  n is  too  small  may  be  vulnerable  to  attacks  based  on 
statistical  analysis.  One  such  attack  involves  simple  frequency  analysis  of  ciphertext  blocks 
(see  Note  7.74).  This  may  be  thwarted  by  appropriate  use  of  modes  of  operation  (e.g..  Al- 
gorithm 7.13).  Other  such  attacks  are  considered  in  Note  7.8.  However,  choosing  too  large 
a value  for  the  blocksize  n may  create  difficulties  as  the  complexity  of  implementation  of 
many  ciphers  grows  rapidly  with  block  size.  In  practice,  consequently,  for  larger  n,  easily- 
implementable  functions  are  necessary  which  appear  to  be  random  (without  knowledge  of 
the  key). 

An  encryption  function  per  Definition  7.1  is  a deterministic  mapping.  Each  pairing  of 
plaintext  block  P and  key  K maps  to  a unique  ciphertext  block.  In  contrast,  in  a randomized 
encryption  technique  (Definition  7.3;  see  also  Remark  8.22),  each  (P,  K)  pair  is  associated 
with  a set  C(pk)  of  eligible  ciphertext  blocks;  each  time  P is  encrypted  under  K , an  out- 
put R from  a random  source  non-deterministically  selects  one  of  these  eligible  blocks.  To 
ensure  invertibility,  for  every  fixed  key  K,  the  subsets  C(  p.  K ) over  all  plaintexts  P must  be 
disjoint.  Since  the  encryption  function  is  essentially  one-to-many  involving  an  additional 
parameter  R (cf.  homophonic  substitution,  §7.3.2),  the  requirement  for  invertibility  implies 
data  expansion,  which  is  a disadvantage  of  randomized  encryption  and  is  often  unaccept- 
able. 

7.3  Definition  A randomized  encryption  mapping  is  a function  E from  a plaintext  space  Vn 
to  a ciphertext  space  Vrn,  m > n,  drawing  elements  from  a space  of  random  numbers  7 Z 
= Vt.  E is  defined  by  E : Vn  x K.  x 1Z  — > Vm,  such  that  for  each  key  K £ 1C  and  R £ 1Z. 
E(P,K,R),  also  written  £’/)  (P),  maps  P £ Vn  to  Vrn ; and  an  inverse  (corresponding 
decryption)  function  exists,  mapping  Vrn  xlC  - > Vn. 

(ii)  Practical  security  and  complexity  of  attacks 

The  objective  of  a block  cipher  is  to  provide  confidentiality.  The  corresponding  objective 
of  an  adversary  is  to  recover  plaintext  from  ciphertext.  A block  cipher  is  totally  broken  if  a 
key  can  be  found,  and  partially  broken  if  an  adversary  is  able  to  recover  part  of  the  plaintext 
(but  not  the  key)  from  ciphertext. 

7.4  Note  ( standard  assumptions)  To  evaluate  block  cipher  security,  it  is  customary  to  always 
assume  that  an  adversary  (i)  has  access  to  all  data  transmitted  over  the  ciphertext  channel; 
and  (ii)  ( Kerckhoffs  ’ assumption)  knows  all  details  of  the  encryption  function  except  the 
secret  key  (which  security  consequently  rests  entirely  upon). 

Under  the  assumptions  of  Note  7.4,  attacks  are  classified  based  on  what  information 
a cryptanalyst  has  access  to  in  addition  to  intercepted  ciphertext  (cf.  §1.13.1).  The  most 
prominent  classes  of  attack  for  symmetric-key  ciphers  are  (for  a fixed  key): 

1 . ciphertext-only  - no  additional  information  is  available. 

2.  known-plaintext  - plaintext-ciphertext  pairs  are  available. 
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3.  chosen-plaintext  - ciphertexts  are  available  corresponding  to  plaintexts  of  the  adver- 
sary’s choice.  A variation  is  an  adaptive  chosen-plaintext  attack,  where  the  choice  of 
plaintexts  may  depend  on  previous  plaintext-ciphertext  pairs. 

Additional  classes  of  attacks  are  given  in  Note  7.6;  while  somewhat  more  hypothetical, 
these  are  nonetheless  of  interest  for  the  purposes  of  analysis  and  comparison  of  ciphers. 

7.5  Remark  ( chosen-plaintext  principle ) It  is  customary  to  use  ciphers  resistant  to  chosen- 
plaintext  attack  even  when  mounting  such  an  attack  is  not  feasible.  A cipher  secure  against 
chosen-plaintext  attack  is  secure  against  known-plaintext  and  ciphertext-only  attacks. 

7.6  Note  ( chosen-ciphertext  and  related-key  attacks)  A chosen-ciphertext  attack  operates  un- 
der the  following  model:  an  adversary  is  allowed  access  to  plaintext-ciphertext  pairs  for 
some  number  of  ciphertexts  of  his  choice,  and  thereafter  attempts  to  use  this  information 
to  recover  the  key  (or  plaintext  corresponding  to  some  new  ciphertext).  In  a related-key  at- 
tack, an  adversary  is  assumed  to  have  access  to  the  encryption  of  plaintexts  under  both  an 
unknown  key  and  (unknown)  keys  chosen  to  have  or  known  to  have  certain  relationships 
with  this  key. 

With  few  exceptions  (e.g.,  the  one-time  pad),  the  best  available  measure  of  security  for 
practical  ciphers  is  the  complexity  of  the  best  (currently)  known  attack.  Various  aspects  of 
such  complexity  may  be  distinguished  as  follows: 

1 . data  complexity  - expected  number  of  input  data  units  required  (e.g.,  ciphertext). 

2.  storage  complexity  - expected  number  of  storage  units  required. 

3 . processing  complexity  - expected  number  of  operations  required  to  process  input  data 
and/or  fill  storage  with  data  (at  least  one  time  unit  per  storage  unit). 

The  attack  complexity  is  the  dominant  of  these  (e.g.,  for  linear  cryptanalysis  on  DES,  essen- 
tially the  data  complexity).  When  parallelization  is  possible,  processing  complexity  may  be 
divided  across  many  processors  (but  not  reduced),  reducing  attack  time. 

Given  a data  complexity  of  2n,  an  attack  is  always  possible;  this  many  different  71- 
bit  blocks  completely  characterize  the  encryption  function  for  a fixed  fc-bit  key.  Similarly, 
given  a processing  complexity  of  2k,  an  attack  is  possible  by  exhaustive  key  search  (§7.2.3). 
Thus  as  a minimum,  the  effective  key  size  should  be  sufficiently  large  to  preclude  exhaus- 
tive key  search,  and  the  block  size  sufficiently  large  to  preclude  exhaustive  data  analysis. 
A block  cipher  is  considered  computationally  secure  if  these  conditions  hold  and  no  known 
attack  has  both  data  and  processing  complexity  significantly  less  than,  respectively,  2"  and 
2k.  However,  see  Note  7.8  for  additional  concerns  related  to  block  size. 

7.7  Remark  (passive  vs.  active  complexity ) For  symmetric-key  block  ciphers,  data  complex- 
ity is  beyond  the  control  of  the  adversary,  and  is  passive  complexity  (plaintext-ciphertext 
pairs  cannot  be  generated  by  the  adversary  itself).  Processing  complexity  is  active  com- 
plexity which  typically  benefits  from  increased  resources  (e.g.,  parallelization). 

7.8  Note  ( attacks  based  on  small  block  size)  Security  concerns  which  arise  if  the  block  size 
n is  too  small  include  the  feasibility  of  text  dictionary  attacks  and  matching  ciphertext  at- 
tacks. A text  dictionary  may  be  assembled  if  plaintext-ciphertext  pairs  become  known  for 
a fixed  key.  The  more  pairs  available,  the  larger  the  dictionary  and  the  greater  the  chance  of 
locating  a random  ciphertext  block  therein.  A complete  dictionary  results  if  2"  plaintext- 
ciphertext  pairs  become  known,  and  fewer  suffice  if  plaintexts  contain  redundancy  and  a 
non-chaining  mode  of  encryption  (such  as  ECB)  is  used.  Moreover,  if  about  2"  / 2 such  pairs 
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are  known,  and  about  2" /2  ciphertexts  are  subsequently  created,  then  by  the  birthday  para- 
dox one  expects  to  locate  a ciphertext  in  the  dictionary.  Relatedly,  from  ciphertext  blocks 
alone,  as  the  number  of  available  blocks  approaches  2"/'2,  one  expects  to  find  matching  ci- 
phertext blocks.  These  may  reveal  partial  information  about  the  corresponding  plaintexts, 
depending  on  the  mode  of  operation  of  the  block  cipher,  and  the  amount  of  redundancy  in 
the  plaintext. 

Computational  and  unconditional  security  are  discussed  in  §1.13.3.  Unconditional  se- 
curity is  both  unnecessary  in  many  applications  and  impractical;  for  example,  it  requires 
as  many  bits  of  secret  key  as  plaintext,  and  cannot  be  provided  by  a block  cipher  used  to 
encrypt  more  than  one  block  (due  to  Fact  7.9,  since  identical  ciphertext  implies  matching 
plaintext).  Nonetheless,  results  on  unconditional  security  provide  insight  for  the  design  of 
practical  ciphers,  and  has  motivated  many  of  the  principles  of  cryptographic  practice  cur- 
rently in  use  (see  Remark  7.10). 

7.9  Fact  A cipher  provides  perfect  secrecy  (unconditional  security)  if  the  ciphertext  and  plain- 
text blocks  are  statistically  independent. 

7.10  Remark  ( theoretically-motivated  principles ) The  unconditional  security  of  the  one-time- 
pad  motivates  both  additive  stream  ciphers  (Chapter  6)  and  the  frequent  changing  of  cryp- 
tographic keys  (§13.3.1).  Theoretical  results  regarding  the  effect  of  redundancy  on  unicity 
distance  (Fact  7.71)  motivate  the  principle  that  for  plaintext  confidentiality,  the  plaintext 
data  should  be  as  random  as  possible,  e.g.,  via  data-compression  prior  to  encryption,  use  of 
random-bit  fields  in  message  blocks,  or  randomized  encryption  (Definition  7.3).  The  latter 
two  techniques  may,  however,  increase  the  data  length  or  allow  covert  channels. 

(iii)  Criteria  for  evaluating  block  ciphers  and  modes  of  operation 

Many  criteria  may  be  used  for  evaluating  block  ciphers  in  practice,  including: 

1 . estimated  security  level.  Confidence  in  the  ( historical)  security  of  a cipher  grows  if  it 
has  been  subjected  to  and  withstood  expert  cryptanalysis  over  a substantial  time  pe- 
riod, e.g.,  several  years  or  more;  such  ciphers  are  certainly  considered  more  secure 
than  those  which  have  not.  This  may  include  the  performance  of  selected  cipher  com- 
ponents relative  to  various  design  criteria  which  have  been  proposed  or  gained  favor 
in  recent  years.  The  amount  of  ciphertext  required  to  mount  practical  attacks  often 
vastly  exceeds  a cipher’s  unicity  distance  (Definition  7.69),  which  provides  a theo- 
retical estimate  of  the  amount  of  ciphertext  required  to  recover  the  unique  encryption 
key. 

2.  key  size.  The  effective  bitlength  of  the  key,  or  more  specifically,  the  entropy  of  the  key 
space,  defines  an  upper  bound  on  the  security  of  a cipher  (by  considering  exhaustive 
search).  Longer  keys  typically  impose  additional  costs  (e.g.,  generation,  transmis- 
sion, storage,  difficulty  to  remember  passwords). 

3.  throughput.  Throughput  is  related  to  the  complexity  of  the  cryptographic  mapping 
(see  below),  and  the  degree  to  which  the  mapping  is  tailored  to  a particular  imple- 
mentation medium  or  platform. 

4.  block  size.  Block  size  impacts  both  security  (larger  is  desirable)  and  complexity 
(larger  is  more  costly  to  implement).  Block  size  may  also  affect  performance,  for 
example,  if  padding  is  required. 

5.  complexity  of  cryptographic  mapping.  Algorithmic  complexity  affects  the  imple- 
mentation costs  both  in  terms  of  development  and  fixed  resources  (hardware  gate 
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count  or  software  code/data  size),  as  well  as  real-time  performance  for  fixed  resources 
(throughput).  Some  ciphers  specifically  favor  hardware  or  software  implementations. 

6.  data  expansion.  It  is  generally  desirable,  and  often  mandatory,  that  encryption  does 
not  increase  the  size  of  plaintext  data.  Homophonic  substitution  and  randomized  en- 
cryption techniques  result  in  data  expansion. 

7.  error  propagation.  Decryption  of  ciphertext  containing  bit  errors  may  result  in  vari- 
ous effects  on  the  recovered  plaintext,  including  propagation  of  errors  to  subsequent 
plaintext  blocks.  Different  error  characteristics  are  acceptable  in  various  applica- 
tions. Block  size  (above)  typically  affects  error  propagation. 


7.2.2  Modes  of  operation 

A block  cipher  encrypts  plaintext  in  fixed-size  n-bit  blocks  (often  n = 64).  For  messages 
exceeding  n bits,  the  simplest  approach  is  to  partition  the  message  into  n-bit  blocks  and 
encrypt  each  separately.  This  electronic-codebook  (ECB)  mode  has  disadvantages  in  most 
applications,  motivating  other  methods  of  employing  block  ciphers  ( modes  of  operation) 
on  larger  messages.  The  four  most  common  modes  are  ECB,  CBC,  CFB,  and  OFB.  These 
are  summarized  in  Figure  7.1  and  discussed  below. 

In  what  follows,  Ek  denotes  the  encryption  function  of  the  block  cipher  E parame- 
terized by  key  K , while  Ef1  denotes  decryption  (cf.  Definition  7.1).  A plaintext  message 
x = X\ . . .xt  is  assumed  to  consist  of  n-bit  blocks  for  ECB  and  CBC  modes  (see  Algo- 
rithm 9.58  regarding  padding),  and  r-bit  blocks  for  CFB  and  OFB  modes  for  appropriate 
fixed  r < n. 

(i)  ECB  mode 

The  electronic  codebook  (ECB)  mode  of  operation  is  given  in  Algorithm  7. 1 1 and  illustrated 
in  Figure  7.1(a). 

7.1 1 Algorithm  ECB  mode  of  operation 

INPUT:  fc-bit  key  K;  /(-bit  plaintext  blocks  x\ , . . . , xt . 

SUMMARY:  produce  ciphertext  blocks  c\ , . . . , c(;  decrypt  to  recover  plaintext. 

1.  Encryption:  for  1 < j < t,  Cj  <—  En{xj). 

2.  Decryption:  for  1 < j < t,  Xj  Ef^{cj). 


Properties  of  the  ECB  mode  of  operation: 

1.  Identical  plaintext  blocks  (under  the  same  key)  result  in  identical  ciphertext. 

2.  Chaining  dependencies:  blocks  are  enciphered  independently  of  other  blocks.  Re- 
ordering ciphertext  blocks  results  in  correspondingly  re-ordered  plaintext  blocks. 

3.  Error  propagation:  one  or  more  bit  errors  in  a single  ciphertext  block  affect  decipher- 
ment of  that  block  only.  For  typical  ciphers  E.  decryption  of  such  a block  is  then  ran- 
dom (with  about  50%  of  the  recovered  plaintext  bits  in  error).  Regarding  bits  being 
deleted,  see  Remark  7.15. 

7.12  Remark  ( use  of  ECB  mode)  Since  ciphertext  blocks  are  independent,  malicious  substi- 
tution of  ECB  blocks  (e.g.,  insertion  of  a frequently  occurring  block)  does  not  affect  the 
decryption  of  adjacent  blocks.  Furthermore,  block  ciphers  do  not  hide  data  patterns  - iden- 
tical ciphertext  blocks  imply  identical  plaintext  blocks.  For  this  reason,  the  ECB  mode  is 
not  recommended  for  messages  longer  than  one  block,  or  if  keys  are  reused  for  more  than 
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a)  Electronic  Codebook  (ECB) 


b)  Cipher-block  Chaining  (CBC) 


key  - 


- key 


(i)  encipherment  (ii)  decipherment 


(i)  encipherment  (ii)  decipherment 


c)  Cipher  feedback  (CFB),  r-bit  characters/r-bit  feedback 


(i)  encipherment 


(ii)  decipherment 


d)  Output  feedback  (OFB),  r-bit  characters/n-bit  feedback 


Oj~i  Oj- 1 


(i)  encipherment  (ii)  decipherment 

Figure  7.1 : Common  modes  of  operation  for  an  n-bit  block  cipher. 
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a single  one-block  message.  Security  may  be  improved  somewhat  by  inclusion  of  random 
padding  bits  in  each  block. 

(ii)  CBC  mode 

The  cipher-block  chaining  (CBC)  mode  of  operation,  specified  in  Algorithm  7.13  and  il- 
lustrated in  Figure  7.1(b),  involves  use  of  an  n-bit  initialization  vector,  denoted  IV. 


7.13  Algorithm  CBC  mode  of  operation 

INPUT:  fc-bit  key  K ; n-bit  IV ; n-bit  plaintext  blocks  x\ , . . . , :cf . 

SUMMARY:  produce  ciphertext  blocks  ci, . . . , q ; decrypt  to  recover  plaintext. 

1.  Encryption:  co  <—  IV.  For  1 < j < t,  Cj  <—  Exicj-iIBxj). 

2.  Decryption:  cq  <—  IV.  For  1 < j < t,  Xj  -S—  (cj). 

Properties  of  the  CBC  mode  of  operation: 

1.  Identical  plaintexts:  identical  ciphertext  blocks  result  when  the  same  plaintext  is  en- 
ciphered under  the  same  key  and  IV.  Changing  the  IV,  key,  or  first  plaintext  block 
(e.g.,  using  a counter  or  random  field)  results  in  different  ciphertext. 

2.  Chaining  dependencies:  the  chaining  mechanism  causes  ciphertext  cj  to  depend  on 
Xj  and  all  preceding  plaintext  blocks  (the  entire  dependency  on  preceding  blocks  is, 
however,  contained  in  the  value  of  the  previous  ciphertext  block).  Consequently,  re- 
arranging the  order  of  ciphertext  blocks  affects  decryption.  Proper  decryption  of  a 
correct  ciphertext  block  requires  a correct  preceding  ciphertext  block. 

3.  Error  propagation:  a single  bit  error  in  ciphertext  block  c:i  affects  decipherment  of 

blocks  Cj  and  Cj+i  (since  Xj  depends  on  Cj  and  Cj_ i).  Block  x'-  recovered  from  Cj 
is  typically  totally  random  (50%  in  error),  while  the  recovered  plaintext  x'  +1  has  bit 
errors  precisely  where  Cj  did.  Thus  an  adversary  may  cause  predictable  bit  changes 
in  x.j i by  altering  corresponding  bits  of  Cj . See  also  Remark  7.14. 

4.  Error  recovery:  the  CBC  mode  is  self-synchronizing  or  ciphertext  autokey  (see  Re- 
mark 7.15)  in  the  sense  that  if  an  error  (including  loss  of  one  or  more  entire  blocks) 
occurs  in  block  Cj  but  not  Cj+i,  Cj+ 2 is  correctly  decrypted  to  Xj+ 2. 

7.14  Remark  (error propagation  in  encryption ) Although  CBC  mode  decryption  recovers  from 
errors  in  ciphertext  blocks,  modifications  to  a plaintext  block  Xj  during  encryption  alter  all 
subsequent  ciphertext  blocks.  This  impacts  the  usability  of  chaining  modes  for  applications 
requiring  random  read/write  access  to  encrypted  data.  The  ECB  mode  is  an  alternative  (but 
see  Remark  7.12). 

7.15  Remark  (self-synchronizing  vs.  framing  errors)  Although  self-synchronizing  in  the  sense 
of  recovery  from  bit  errors,  recovery  from  “lost”  bits  causing  errors  in  block  boundaries 
(framing  integrity  errors)  is  not  possible  in  the  CBC  or  other  modes. 

7.16  Remark  (integrity  of  IV  in  CBC)  While  the  TV  in  the  CBC  mode  need  not  be  secret,  its 
integrity  should  be  protected,  since  malicious  modification  thereof  allows  an  adversary  to 
make  predictable  bit  changes  to  the  first  plaintext  block  recovered.  Using  a secret  TV  is 
one  method  for  preventing  this.  However,  if  message  integrity  is  required,  an  appropriate 
mechanism  should  be  used  (see  §9.6.5);  encryption  mechanisms  typically  guarantee  confi- 
dentiality only. 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§ 7.2  Background  and  general  concepts 


231 


(iii)  CFB  mode 

While  the  CBC  mode  processes  plaintext  n bits  at  a time  (using  an  n-bit  block  cipher),  some 
applications  require  that  r-bit  plaintext  units  be  encrypted  and  transmitted  without  delay,  for 
some  fixed  r < n (often  r = 1 or  r = 8).  In  this  case,  the  cipher  feedback  (CFB)  mode 
may  be  used,  as  specified  in  Algorithm  7.17  and  illustrated  in  Figure  7.1(c). 


7.17  Algorithm  CFB  mode  of  operation  (CFB-r) 

INPUT:  fc-bit  key  K\  n-bit  IV',  r- bit  plaintext  blocks  x\, . . . , xu  (1  < r < n). 
SUMMARY:  produce  r-bit  ciphertext  blocks  c±, . . . , cu ; decrypt  to  recover  plaintext. 

1.  Encryption:  I\  <—  IV.  (Ij  is  the  input  value  in  a shift  register.)  For  1 < j < u: 

(a)  Oj  t—  Ek (I j).  (Compute  the  block  cipher  output.) 

(b)  t.j  the  r leftmost  bits  of  Oj . ( Assume  the  leftmost  is  identified  as  bit  1 .) 

(c)  Cj  <—  (Transmit  the  r-bit  ciphertext  block  cj.) 

(d)  Ij+ 1 2r  ■ Ij  + Cj  mod  2n.  (Shift  Cj  into  right  end  of  shift  register.) 

2.  Decryption:  I\  IV.  For  1 < j < u,  upon  receiving  Cj : 
xj  <r-  Cj@tj , where  tj , Oj  and  Ij  are  computed  as  above. 

Properties  of  the  CFB  mode  of  operation: 

1.  Identical  plaintexts:  as  per  CBC  encryption,  changing  the  IV  results  in  the  same 
plaintext  input  being  enciphered  to  a different  output.  The  IV  need  not  be  secret 
(although  an  unpredictable  IV  may  be  desired  in  some  applications). 

2.  Chaining  dependencies:  similar  to  CBC  encryption,  the  chaining  mechanism  causes 
ciphertext  block  Cj  to  depend  on  both  Xj  and  preceding  plaintext  blocks;  consequent- 
ly, re-ordering  ciphertext  blocks  affects  decryption.  Proper  decryption  of  a correct 
ciphertext  block  requires  the  preceding  \n/r ] ciphertext  blocks  to  be  correct  (so  that 
the  shift  register  contains  the  proper  value). 

3.  Error  propagation:  one  or  more  bit  errors  in  any  single  r-bit  ciphertext  block  Cj  af- 
fects the  decipherment  of  that  and  the  next  \n/r  \ ciphertext  blocks  (i.e.,  until  n bits 
of  ciphertext  are  processed,  after  which  the  error  block  Cj  has  shifted  entirely  out  of 
the  shift  register).  The  recovered  plaintext  x'  will  differ  from  Xj  precisely  in  the  bit 
positions  Cj  was  in  error;  the  other  incorrectly  recovered  plaintext  blocks  will  typi- 
cally be  random  vectors,  i.e.,  have  50%  of  bits  in  error.  Thus  an  adversary  may  cause 
predictable  bit  changes  in  Xj  by  altering  corresponding  bits  of  Cj. 

4.  Error  recovery:  the  CFB  mode  is  self-synchronizing  similar  to  CBC,  but  requires 
\n/r]  ciphertext  blocks  to  recover. 

5.  Throughput:  for  r < n,  throughput  is  decreased  by  a factor  of  njr  (vs.  CBC)  in  that 
each  execution  of  E yields  only  r bits  of  ciphertext  output. 

7.18  Remark  ( CFB  use  of  encryption  only)  Since  the  encryption  function  E is  used  for  both 
CFB  encryption  and  decryption,  the  CFB  mode  must  not  be  used  if  the  block  cipher  E is  a 
public-key  algorithm;  instead,  the  CBC  mode  should  be  used. 

7.19  Example  (ISO  variant  of  CFB)  The  CFB  mode  of  Algorithm  7.17  may  be  modified  as 

follows,  to  allow  processing  of  plaintext  blocks  (characters)  whose  bitsize  s is  less  than  the 
bitsize  r of  the  feedback  variable  (e.g.,  7-bit  characters  using  8-bit  feedback;  s < r).  The 
leftmost  s (rather  than  r)  bits  of  Oj  are  assigned  to  tj ; the  s-bit  ciphertext  character  Cj  is 
computed;  the  feedback  variable  is  computed  from  cj  by  pre-prepending  (on  the  left)  r — s 
1-bits;  the  resulting  r-bit  feedback  variable  is  shifted  into  the  least  significant  (FS)  end  of 
the  shift  register  as  before.  □ 
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(iv)  OFB  mode 

The  output  feedback  (OFB)  mode  of  operation  may  be  used  for  applications  in  which  all 
error  propagation  must  be  avoided.  It  is  similar  to  CFB,  and  allows  encryption  of  various 
block  sizes  (characters),  but  differs  in  that  the  output  of  the  encryption  block  function  E 
(rather  than  the  ciphertext)  serves  as  the  feedback. 

Two  versions  of  OFB  using  an  ?r-bit  block  cipher  are  common.  The  ISO  version  (Fig- 
ure 7.1(d)  and  Algorithm  7.20)  requires  an  ?r-bit  feedback,  and  is  more  secure  (Note  7.24). 
The  earlier  FIPS  version  (Algorithm  7.21)  allows  r < n bits  of  feedback. 


7.20  Algorithm  OFB  mode  with  full  feedback  (per  ISO  10116) 

INPUT:  fc-bit  key  K\  n-bit  IV',  r- bit  plaintext  blocks  x\, . . . , xu  (1  < r < n). 
SUMMARY:  produce  r-bit  ciphertext  blocks  c±, . . , , cu ; decrypt  to  recover  plaintext. 

1.  Encryption:  I\  IV.  For  1 < j < u,  given  plaintext  block  Xj : 

(a)  Oj  Ek {1 j)-  (Compute  the  block  cipher  output.) 

(b)  tj  the  r leftmost  bits  of  Oj.  (Assume  the  leftmost  is  identified  as  bit  1.) 

(c)  Cj  Xj@tj.  (Transmit  the  r-bit  ciphertext  block  Cj.) 

(d)  Ij+ 1 Oj.  (Update  the  block  cipher  input  for  the  next  block.) 

2.  Decryption:  I\  IV.  For  1 < j < u,  upon  receiving  Cj : 

Xj  Cj@tj , where  tj,  Oj,  and  Ij  are  computed  as  above. 


7.21  Algorithm  OFB  mode  with  r-bit  feedback  (per  FIPS  81 ) 

INPUT:  fc-bit  key  K\  n-bit  IV',  r-bit  plaintext  blocks  x\, . . . , xu  (1  < r < n). 
SUMMARY:  produce  r-bit  ciphertext  blocks  ci, . . . . cv ; decrypt  to  recover  plaintext. 
As  per  Algorithm  7.20,  but  with  “Ij+i  <5—  Oj”  replaced  by: 

Ij+ 1 2r  ■ Ij  + tj  mod  2n.  (Shift  output  tj  into  right  end  of  shift  register.) 


Properties  of  the  OFB  mode  of  operation: 

1 . Identical  plaintexts:  as  per  CBC  and  CFB  modes,  changing  the  IV  results  in  the  same 
plaintext  being  enciphered  to  a different  output. 

2.  Chaining  dependencies:  the  keystream  is  plaintext-independent  (see  Remark  7.22). 

3.  Error  propagation:  one  or  more  bit  errors  in  any  ciphertext  character  Cj  affects  the 
decipherment  of  only  that  character,  in  the  precise  bit  position(s)  Cj  is  in  error,  causing 
the  corresponding  recovered  plaintext  bit(s)  to  be  complemented. 

4.  Error  recovery:  the  OFB  mode  recovers  from  ciphertext  bit  errors,  but  cannot  self- 
synchronize  after  loss  of  ciphertext  bits,  which  destroys  alignment  of  the  decrypting 
keystream  (in  which  case  explicit  re-synchronization  is  required). 

5.  Throughput:  for  r < n,  throughput  is  decreased  as  per  the  CFB  mode.  However, 
in  all  cases,  since  the  keystream  is  independent  of  plaintext  or  ciphertext,  it  may  be 
pre-computed  (given  the  key  and  IV). 

7.22  Remark  (changing  IV  in  OFB)  The  IV,  which  need  not  be  secret,  must  be  changed  if  an 
OFB  key  K is  re-used.  Otherwise  an  identical  keystream  results,  and  by  XORing  corre- 
sponding ciphertexts  an  adversary  may  reduce  cryptanalysis  to  that  of  a running-key  cipher 
with  one  plaintext  as  the  running  key  (cf.  Example  7.58  ff. ). 

Remark  7.18  on  public-key  block  ciphers  applies  to  the  OFB  mode  as  well  as  CFB. 
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7.23  Example  ( counter  mode ) A simplification  of  OFB  involves  updating  the  input  block  as  a 
counter,  Ij+ 1 = Ij  + 1,  rather  than  using  feedback.  This  both  avoids  the  short-cycle  prob- 
lem of  Note  7.24,  and  allows  recovery  from  errors  in  computing  E.  Moreover,  it  provides  a 
random-access  property:  ciphertext  block  i need  not  be  decrypted  in  order  to  decrypt  block 

i + 1.  □ 

7.24  Note  (OFB  feedback  size ) In  OFB  with  full  ?r-bit  feedback  ( Algorithm  7.20),  the  keystre- 
am  is  generated  by  the  iterated  function  Oj  — Ex(()j  j).  Since  Ek  is  a permutation, 
and  under  the  assumption  that  for  random  K,  Ek  is  effectively  a random  choice  among  all 
(2") ! permutations  on  n elements,  it  can  be  shown  that  for  a fixed  (random)  key  and  starting 
value,  the  expected  cycle  length  before  repeating  any  value  Oj  is  about  2”~1 . On  the  other 
hand,  if  the  number  of  feedback  bits  is  r < n as  allowed  in  Algorithm  7.21,  the  keystream 
is  generated  by  the  iteration  Oj  = f(Oj- 1)  for  some  non-permutation  / which,  assuming 
it  behaves  as  a random  function,  has  an  expected  cycle  length  of  about  2 " /"2.  Consequently, 
it  is  strongly  recommended  to  use  the  OFB  mode  with  full  n-bit  feedback. 

7.25  Remark  (modes  as  stream  ciphers)  It  is  clear  that  both  the  OFB  mode  with  full  feedback 
( Algorithm  7.20)  and  the  counter  mode  (Example  7.23)  employ  a block  cipher  as  a keystre- 
am generator  for  a stream  cipher.  Similarly  the  CFB  mode  encrypts  a character  stream  using 
the  block  cipher  as  a (plaintext-dependent)  keystream  generator.  The  CBC  mode  may  also 
be  considered  a stream  cipher  with  n-bit  blocks  playing  the  role  of  very  large  characters. 
Thus  modes  of  operation  allow  one  to  define  stream  ciphers  from  block  ciphers. 


7.2.3  Exhaustive  key  search  and  multiple  encryption 

A fixed-size  key  defines  an  upper  bound  on  the  security  of  a block  cipher,  due  to  exhaustive 
key  search  (Fact  7.26).  While  this  requires  either  known-plaintext  or  plaintext  containing 
redundancy,  it  has  widespread  applicability  since  cipher  operations  (including  decryption) 
are  generally  designed  to  be  computationally  efficient. 

A design  technique  which  complicates  exhaustive  key  search  is  to  make  the  task  of 
changing  cipher  keys  computationally  expensive,  while  allowing  encryption  with  a fixed 
key  to  remain  relatively  efficient.  Examples  of  ciphers  with  this  property  include  the  block 
cipher  Khufu  and  the  stream  cipher  SEAL. 

7.26  Fact  (exhaustive  key  search)  For  an  n-bit  block  cipher  with  fc-bit  key,  given  a small  num- 
ber (e.g.,  \(k  + 4) /n] ) of  plaintext-ciphertext  pairs  encrypted  under  key  K,  K can  be  re- 
covered by  exhaustive  key  search  in  an  expected  time  on  the  order  of  2k  1 operations. 

Justification:  Progress  through  the  entire  key  space,  decrypting  a fixed  ciphertext  C with 
each  trial  key,  and  discarding  those  keys  which  do  not  yield  the  known  plaintext  P.  The 
target  key  is  among  the  undiscarded  keys.  The  number  of  false  alarms  expected  ( non-target 
keys  which  map  C to  P)  depends  on  the  relative  size  of  k and  n,  and  follows  from  unicity 
distance  arguments;  additional  (P',  C')  pairs  suffice  to  discard  false  alarms.  One  expects 
to  find  the  correct  key  after  searching  half  the  key  space. 

7.27  Example  (exhaustive  DES  key  search)  For  DES,  k = 56,  n = 64,  and  the  expected  re- 
quirement by  Fact  7.26  is  255  decryptions  and  a single  plaintext-ciphertext  pair.  □ 

If  the  underlying  plaintext  is  known  to  contain  redundancy  as  in  Example  7.28,  then 
ciphertext-only  exhaustive  key  search  is  possible  with  a relatively  small  number  of  cipher- 
texts. 
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7.28  Example  (ciphertext-only  DES  key  search ) Suppose  DES  is  used  to  encrypt  64-bit  blocks 

of  8 ASCII  characters  each,  with  one  bit  per  character  serving  as  an  even  parity  bit.  Trial 
decryption  with  an  incorrect  key  K yields  all  8 parity  bits  correct  with  probability  2 8,  and 
correct  parity  for  t different  blocks  (each  encrypted  by  K)  with  probability  2~8*.  If  this  is 
used  as  a filter  over  all  256  keys,  the  expected  number  of  unfiltered  incorrect  keys  is  256/28*. 
For  most  practical  purposes,  t = 10  suffices.  □ 

(i)  Cascades  of  ciphers  and  multiple  encryption 

If  a block  cipher  is  susceptible  to  exhaustive  key  search  (due  to  inadequate  keylength),  en- 
cipherment of  the  same  message  block  more  than  once  may  increase  security.  Various  such 
techniques  for  multiple  encryption  of  n-bit  messages  are  considered  here.  Once  defined, 
they  may  be  extended  to  messages  exceeding  one  block  by  using  standard  modes  of  oper- 
ation (§7.2.2),  with  E denoting  multiple  rather  than  single  encryption. 

7.29  Definition  A cascade  cipher  is  the  concatenation  of  L > 2 block  ciphers  (called  stages), 
each  with  independent  keys.  Plaintext  is  input  to  first  stage;  the  output  of  stage  i is  input  to 
stage  i + 1;  and  the  output  of  stage  L is  the  cascade’s  ciphertext  output. 

In  the  simplest  case,  all  stages  in  a cascade  cipher  have  &-bit  keys,  and  the  stage  in- 
puts and  outputs  are  all  n-bit  quantities.  The  stage  ciphers  may  differ  ( general  cascade  of 
ciphers),  or  all  be  identical  (cascade  of  identical  ciphers). 

7.30  Definition  Multiple  encryption  is  similar  to  a cascade  of  L identical  ciphers,  but  the  stage 
keys  need  not  be  independent,  and  the  stage  ciphers  may  be  either  a block  cipher  E or  its 
corresponding  decryption  function  D = E x. 

Two  important  cases  of  multiple  encryption  are  double  and  triple  encryption,  as  illus- 
trated in  Figure  7.2  and  defined  below. 

(a)  double  encryption 


plaintext 

P 


K i 


K2 


ciphertext 

C 


(b)  triple  encryption  (AT  = AT  for  two-key  variant) 


plaintext 

P 


Ay  K2  K3 


ciphertext 

C 


Figure  7.2:  Multiple  encryption. 


7.31  Definition  Double  encryption  is  defined  as  E(x)  = Ek2  ( Ek1  (x)),  where  Ek  denotes  a 
block  cipher  E with  key  K. 
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7.32  Definition  Triple  encryption  is  defined  as  E(x)  = E^(E^(E^(x))),  where  Ejp  de- 
notes either  Ek  or  Dk  = E^1.  The  case  E(x)  = Ek3(Dk2(Ek1{x)))  is  called E-D-E 
triple-encryption ; the  subcase  K\  = K3  is  often  called  two-key  triple-encryption. 

Independent  stage  keys  K\  and  K->  are  typically  used  in  double  encryption.  In  triple 
encryption  (Definition  7.32),  to  save  on  key  management  and  storage  costs,  dependent  stage 
keys  are  often  used.  E-D-E  triple-encryption  with  AT  = AT  = AT  is  backwards  compati- 
ble with  (i.e.,  equivalent  to)  single  encryption. 

(ii)  Meet-in-the-middle  attacks  on  multiple  encryption 

A naive  exhaustive  key  search  attack  on  double  encryption  tries  all  22k  key  pairs.  The  attack 
of  Fact  7.33  reduces  time  from  22fc,  at  the  cost  of  substantial  space. 

7.33  Fact  For  a block  cipher  with  a k- bit  key,  a known-plaintext  meet-in-the-middle  attack  de- 
feats double  encryption  using  on  the  order  of  2k  operations  and  2k  storage. 

Justification  (basic  meet-in-the-middle):  Noting  Figure  7.2(a),  given  a (P,  C ) pair,  com- 
pute M{  = Ei{P)  under  all  2k  possible  key  values  AT  = i;  store  all  pairs  (Mi,  i),  sorted 
or  indexed  on  Mi  (e.g.,  using  conventional  hashing).  Decipher  C under  all  2k  possible  val- 
ues K'2  = j,  and  for  each  pair  (Mj,j)  where  Mj  = Dj (C),  check  for  hits  Mj  = Mi 
against  entries  Mj  in  the  first  table.  (This  can  be  done  creating  a second  sorted  table,  or 
simply  checking  each  Mj  entry  as  generated.  ) Each  hit  identifies  a candidate  solution  key 
pair  (i,j),  since  Ei(P ) ==  M = Dj(C).  Using  a second  known-plaintext  pair  (P1,  C')  (cf. 
Fact  7.35),  discard  candidate  key  pairs  which  do  not  map  P'  to  C . 

A concept  analogous  to  unicity  distance  for  ciphertext-only  attack  ( Definition  7.69)  can 
be  defined  for  known-plaintext  key  search,  based  on  the  following  strategy.  Select  a key; 
check  if  it  is  consistent  with  a given  set  (history)  of  plaintext-ciphertext  pairs;  if  so,  label 
the  key  a hit.  A hit  that  is  not  the  target  key  is  a false  key  hit. 

7.34  Definition  The  number  of  plaintext-ciphertext  pairs  required  to  uniquely  determine  a key 
under  a known-plaintext  key  search  is  the  known-plaintext  unicity  distance.  This  is  the 
smallest  integer  t such  that  a history  of  length  t makes  false  key  hits  improbable. 

Using  Fact  7.35,  the  (known-plaintext)  unicity  distance  of  a cascade  of  L random  ci- 
phers can  be  estimated.  Less  than  one  false  hit  is  expected  when  t > Lk/n. 

7.35  Fact  For  an  L- stage  cascade  of  random  block  ciphers  with  /(-bit  blocks  and  fc-bit  keys,  the 
expected  number  of  false  key  hits  for  a history  of  length  t is  about  2Lk~tn. 

Fact  7.35  holds  with  respect  to  random  block  ciphers  defined  as  follows  (cf.  Defini- 
tions 7.2  and  7.70):  given  n and  k,  of  the  possible  (2?l)!  permutations  on  2n  elements, 
choose  2k  randomly  and  with  equal  probabilities,  and  associate  these  with  the  2k  keys. 

7.36  Example  (meet-in-the-middle  - double-DES)  Applying  Fact  7.33  to  DES  (n  = 64,  k = 

56),  the  number  of  candidate  key  pairs  expected  for  one  (P,  C)  pair  is  248  = 2k  ■ 2fc/2", 
and  the  likelihood  of  a false  key  pair  satisfying  a second  (P1,  C')  sample  is  2 16  = 248  /2". 
Thus  with  high  probability,  two  (P,  C)  pairs  suffice  for  key  determination.  This  agrees  with 
the  unicity  distance  estimate  of  Fact  7.35:  for  L = 2,  a history  of  length  t = 2 yields  2 16 
expected  false  key  hits.  □ 
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A naive  exhaustive  attack  on  all  key  pairs  in  double-DES  uses  2 112  time  and  negligi- 
ble space,  while  the  meet-in-the-middle  attack  (Fact  7.33)  requires  256  time  and  256  space. 
Note  7.37  illustrates  that  the  latter  can  be  modified  to  yield  a time-memory  trade-off  at  any 
point  between  these  two  extremes,  with  the  time-memory  product  essentially  constant  at 
2112  (e.g.,  272  time,  240  space). 

7.37  Note  ( time-memory  tradeoff- double-encryption ) In  the  attack  of  Example  7.36,  memory 
may  be  reduced  (from  tables  of  256  entries)  by  independently  guessing  s bits  of  each  of  Kt , 
K>  (for  any  fixed  s,  0 < s < k).  The  tables  then  each  have  2k  ,s  entries  (fixing  s key  bits 
eliminates  2s  entries),  but  the  attack  must  be  run  over  2s  • 2s  pairs  of  such  tables  to  allow  all 
possible  key  pairs.  The  memory  requirement  is  2-2,,:  ,s  entries  (each  n+k  .shits,  omitting 
s fixed  key  bits),  while  time  is  on  the  order  of  22s  • 2k  s = 2k+s.  The  time-memory  product 
is  22fc+1. 

7.38  Note  ( generalized  meet-in-the-middle  trade-off ) Variations  of  Note  7.37  allow  time-space 
tradeoffs  for  meet-in-the-middle  key  search  on  any  concatenation  of  L > 2 ciphers.  For  L 
even,  meeting  between  the  first  and  last  L/2  stages  results  in  requirements  on  the  order  of 
2 . 2(fci/2)-s  space  and  2(-kL^2'>+s  time,  0 < s < kL/2.  For  L odd,  meeting  after  the 
first  (L  — l)/2  and  before  the  last  (L  + l)/2  stages  results  in  requirements  on  the  order  of 
2 . 2fc(i-1)/2  - s space  and  2fc(-L+1)/2  + s time,  1 < s < k(L  — l)/2. 

For  a block  cipher  with  fc-bit  key,  a naive  attack  on  two-key  triple  encryption  (Defini- 
tion 7.32)  involves  trying  all  22k  key  pairs.  Fact  7.39  notes  a chosen-plaintext  alternative. 

7.39  Fact  For  an  n-bit  block  cipher  with  fc-bit  key,  two-key  triple  encryption  may  be  defeated 
by  a chosen-plaintext  attack  requiring  on  the  order  of  2k  of  each  of  the  following:  cipher 
operations,  words  of  (n  + fc)-bit  storage,  and  plaintext-ciphertext  pairs  with  plaintexts  cho- 
sen. 

Justification  (chosen-plaintext  attack  on  two-key  triple-encryption):  Using  2k  chosen  plain- 
texts, two-key  triple  encryption  may  be  reduced  to  double-encryption  as  follows.  Noting 
Figure  7.2(b),  focus  on  the  case  where  the  result  after  the  first  encryption  stage  is  the  all- 
zero vector  A = 0.  For  all  2k  values  K\  = i,  compute  P.j  = Et  1 (T4 ) . Submit  each  result- 
ing Pj  as  a chosen  plaintext,  obtaining  the  corresponding  ciphertext  C, . For  each,  compute 
Bj  = E,-  1(Cj  ),  representing  an  intermediate  result  B after  the  second  of  three  encryption 
stages.  Note  that  the  values  Pj  also  represent  candidate  values  B.  Sort  the  values  Pj  and  Bj 
in  a table  (using  standard  hashing  for  efficiency).  Identify  the  keys  corresponding  to  pairs 
Pj  = Bj  as  candidate  solution  key  pairs  Ki  = i,  K 2 = j to  the  given  problem.  Confirm 
these  by  testing  each  key  pair  on  a small  number  of  additional  known  plaintext-ciphertext 
pairs  as  required. 

While  generally  impractical  due  to  the  storage  requirement,  the  attack  of  Fact  7.39  is 
referred  to  as  a certificational  attack  on  two-key  triple  encryption,  demonstrating  it  to  be 
weaker  than  triple  encryption.  This  motivates  consideration  of  triple-encryption  with  three 
independent  keys,  although  a penalty  is  a third  key  to  manage. 

Fact  7.40,  stated  specifically  for  DES  (n  = 64,  k = 56),  indicates  that  for  the  price 
of  additional  computation,  the  memory  requirement  in  Fact  7.39  may  be  reduced  and  the 
chosen-plaintext  condition  relaxed  to  known-plaintext.  The  attack,  however,  appears  im- 
practical even  with  extreme  parallelization;  for  example,  for  lg  t = 40,  the  number  of  op- 
erations is  still  280. 
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7.40  Fact  If  t known  plaintext-ciphertext  pairs  are  available,  an  attack  on  two-key  triple-DES 
requires  0(t ) space  and  2120~lgt  operations. 

(iii)  Multiple-encryption  modes  of  operation 

In  contrast  to  the  single  modes  of  operation  in  Figure  7.1,  multiple  modes  are  variants  of 
multiple  encryption  constructed  by  concatenating  selected  single  modes.  For  example,  the 
combination  of  three  single-mode  CBC  operations  provides  triple -inn  e r-  CB  C;  an  alterna- 
tive is  triple-outer-CBC,  the  composite  operation  of  triple  encryption  (per  Definition  7.32) 
with  one  outer  ciphertext  feedback  after  the  sequential  application  of  three  single-ECB  op- 
erations. With  replicated  hardware,  multiple  modes  such  as  triple-inner-CBC  may  be  pipe- 
lined allowing  performance  comparable  to  single  encryption,  offering  an  advantage  over 
triple-outer-CBC.  Unfortunately  (Note  7.41),  they  are  often  less  secure. 

7.41  Note  (security  of  triple-inner-CBC)  Many  multiple  modes  of  operation  are  weaker  than 
the  corresponding  multiple-ECB  mode  (i.e.,  multiple  encryption  operating  as  a black  box 
with  only  outer  feedbacks),  and  in  some  cases  multiple  modes  (e.g.,  ECB-CBC-CBC)  are 
not  significantly  stronger  than  single  encryption.  In  particular,  under  some  attacks  triple- 
inner-CBC  is  significantly  weaker  than  triple-outer-CBC;  against  other  attacks  based  on  the 
block  size  (e.g..  Note  7.8),  it  appears  stronger. 

(iv)  Cascade  ciphers 

Counter-intuitively,  it  is  possible  to  devise  examples  whereby  cascading  of  ciphers  (Def- 
inition 7.29)  actually  reduces  security.  However,  Fact  7.42  holds  under  a wide  variety  of 
attack  models  and  meaningful  definitions  of  “breaking”. 

7.42  Fact  A cascade  of  n (independently  keyed)  ciphers  is  at  least  as  difficult  to  break  as  the 
first  component  cipher.  Corollary:  for  stage  ciphers  which  commute  (e.g.,  additive  stream 
ciphers),  a cascade  is  at  least  as  strong  as  the  strongest  component  cipher. 

Fact  7.42  does  not  apply  to  product  ciphers  consisting  of  component  ciphers  which  may 
have  dependent  keys  (e.g.,  two-key  triple-encryption);  indeed,  keying  dependencies  across 
stages  may  compromise  security  entirely,  as  illustrated  by  a two-stage  cascade  wherein  the 
components  are  two  binary  additive  stream  ciphers  using  an  identical  keystream  - in  this 
case,  the  cascade  output  is  the  original  plaintext. 

Fact  7.42  may  suggest  the  following  practical  design  strategy:  cascade  a set  of  key- 
stream  generators  each  of  which  relies  on  one  or  more  different  design  principles.  It  is  not 
clear,  however,  if  this  is  preferable  to  one  large  keystream  generator  which  relies  on  a single 
principle.  The  cascade  may  turn  out  to  be  less  secure  for  a fixed  set  of  parameters  (number 
of  key  bits,  block  size),  since  ciphers  built  piecewise  may  often  be  attacked  piecewise. 


7.3  Classical  ciphers  and  historical  development 

The  term  classical  ciphers  refers  to  encryption  techniques  which  have  become  well-known 
over  time,  and  generally  created  prior  to  the  second  half  of  the  twentieth  century  ( in  some 
cases,  many  hundreds  of  years  earlier).  Many  classical  techniques  are  variations  of  sim- 
ple substitution  and  simple  transposition.  Some  techniques  that  are  not  technically  block 
ciphers  are  also  included  here  for  convenience  and  context. 
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Classical  ciphers  and  techniques  are  presented  under  §7.3  for  historical  and  pedagogi- 
cal reasons  only.  They  illustrate  important  basic  principles  and  common  pitfalls.  However, 
since  these  techniques  are  neither  sophisticated  nor  secure  against  current  cryptanalytic  ca- 
pabilities, they  are  not  generally  suitable  for  practical  use. 


7.3.1  Transposition  ciphers  (background) 

For  a simple  transposition  cipher  with  fixed  period  t,  encryption  involves  grouping  the 
plaintext  into  blocks  of  t characters,  and  applying  to  each  block  a single  permutation  e on 
the  numbers  1 through  t.  More  precisely,  the  ciphertext  corresponding  to  plaintext  block 
m = mi . . . rrif  is  c = Ee(m)  = me( i)  . . . mep).  The  encryption  key  is  e,  which  implic- 
itly defines  i;  the  key  space  K,  has  cardinality  t\  for  a given  value  t.  Decryption  involves 
use  of  the  permutation  d which  inverts  e.  The  above  corresponds  to  Definition  1.32. 

The  mathematical  notation  obscures  the  simplicity  of  the  encryption  procedure,  as  is 
evident  from  Example  7.43. 

7.43  Example  ( simple  transposition)  Consider  a simple  transposition  cipher  with  t = 6 and 

e = (6  4 1 3 5 2).  The  message  m = CAESAR  is  encrypted  to  c — RSCEAA.  Decryption 
uses  the  inverse  permutation  d = (3  64251).  The  transposition  may  be  represented  by 
a two-row  matrix  with  the  second  indicating  the  position  to  which  the  element  indexed  by 
the  corresponding  number  of  the  first  is  mapped  to:  (354251)-  Encryption  may  be  done 
by  writing  a block  of  plaintext  under  headings  “3  6 4 2 5 1”,  and  then  reading  off  the 
characters  under  the  headings  in  numerical  order.  □ 

7.44  Note  ( terminology : transposition  vs.  permutation ) While  the  term  “transposition”  is  tra- 
ditionally used  to  describe  a transposition  cipher,  the  mapping  of  Example  7.43  may  alter- 
nately be  called  a permutation  on  the  set  {1,2,...  , 6}.  The  latter  terminology  is  used,  for 
example,  in  substitution-permutation  networks,  and  in  DES  (§7.4). 

A mnemonic  keyword  may  be  used  in  place  of  a key,  although  this  may  seriously  de- 
crease the  key  space  entropy.  For  example,  for  n = 6,  the  keyword  “CIPHER”  could  be 
used  to  specify  the  column  ordering  1,  5,  4,  2,  3,  6 (by  alphabetic  priority). 

7.45  Definition  Sequential  composition  of  two  or  more  simple  transpositions  with  respective 
periods  ii , £2,  - - - , £*  is  called  a compound  transposition. 

7.46  Fact  The  compound  transposition  of  Definition  7.45  is  equivalent  to  a simple  transposition 
of  period  t = lcm  (fi, . . . , tf). 

7.47  Note  ( recognizing  simple  transposition)  Although  simple  transposition  ciphers  alter  de- 
pendencies between  consecutive  characters,  they  are  easily  recognized  because  they  pre- 
serve the  frequency  distribution  of  each  character. 


7.3.2  Substitution  ciphers  (background) 

This  section  considers  the  following  types  of  classical  ciphers:  simple  (or  mono-alphabetic) 
substitution,  polygram  substitution,  and  homophonic  substitution.  The  difference  between 
codes  and  ciphers  is  also  noted.  Polyalphabetic  substitution  ciphers  are  considered  in  §7.3.3. 
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(i)  Mono-alphabetic  substitution 

Suppose  the  ciphertext  and  plaintext  character  sets  are  the  same.  Let  m = mim2iii3  . . . 
be  a plaintext  message  consisting  of  juxtaposed  characters  m,  G A,  where  A is  some  fixed 
character  alphabet  such  as  A = {A,  B, . . . , Z}.  A simple  substitution  cipher  or  mono- 
alphabetic  substitution  cipher  employs  a permutation  e over  A,  with  encryption  mapping 
Ee(m)  = e(TO1)e(TO2)e(m3) ....  Here  juxtaposition  indicates  concatenation  (rather  than 
multiplication),  and  e{mf)  is  the  character  to  which  m,-  is  mapped  by  e.  This  corresponds 
to  Definition  1.27. 

7.48  Example  ( trivial  shift  cipher/Caesar  cipher)  A shift  cipher  is  a simple  substitution  cipher 

with  the  permutation  e constrained  to  an  alphabetic  shift  through  k characters  for  some  fixed 
k.  More  precisely,  if  \A  — s,  and  m,  is  associated  with  the  integer  value  i,  0 < i < s — 1, 
then  Ci  = e(rrii ) = m,;  + k mod  s.  The  decryption  mapping  is  defined  by  d(ci)  = a — 
k mod  s.  For  English  text,  .s  = 26,  and  characters  A through  Z are  associated  with  integers 
0 through  25.  For  k = 1,  the  message  m — HAL  is  encrypted  to  c = IBM.  According  to 
folklore,  Julius  Caesar  used  the  key  k = 3.  □ 

The  shift  cipher  can  be  trivially  broken  because  there  are  only  .s  = A.  keys  (e.g.,  s = 
26)  to  exhaustively  search.  A similar  comment  holds  for  affine  ciphers  (Example  7.49). 
More  generally,  see  Fact  7.68. 

7.49  Example  ( affine  cipher-  historical)  The  affine  cipher  on  a 26-letter  alphabet  is  defined  by 

ck(x)  = ax  + b mod  26,  where  0 < a.  b < 25.  The  key  is  (a,  b ).  Ciphertext  c = ex{x)  is 
decrypted  using  djf(c)  = (c  — 6)o_1  mod  26,  with  the  necessary  and  sufficient  condition 
for  invertibility  that  gcd(o,  26)  = 1.  Shift  ciphers  are  a subclass  defined  by  a = 1.  □ 

7.50  Note  ( recognizing  simple  substitution)  Mono-alphabetic  substitution  alters  the  frequency 
of  individual  plaintext  characters,  but  does  not  alter  the  frequency  distribution  of  the  overall 
character  set.  Thus,  comparing  ciphertext  character  frequencies  to  a table  of  expected  letter 
frequencies  (unigram  statistics)  in  the  plaintext  language  allows  associations  between  ci- 
phertext and  plaintext  characters.  (E.g.,  if  the  most  frequent  plaintext  character  X occurred 
twelve  times,  then  the  ciphertext  character  that  X maps  to  will  occur  twelve  times). 

(ii)  Polygram  substitution 

A simple  substitution  cipher  substitutes  for  single  plaintext  letters.  In  contrast,  polygram 
substitution  ciphers  involve  groups  of  characters  being  substituted  by  other  groups  of  char- 
acters. For  example,  sequences  of  two  plaintext  characters  ( digrams ) may  be  replaced  by 
other  digrams.  The  same  may  be  done  with  sequences  of  three  plaintext  characters  (tri- 
grams), or  more  generally  using  /(-grams. 

In  full  digram  substitution  over  an  alphabet  of  26  characters,  the  key  may  be  any  of  the 
262  digrams,  arranged  in  a table  with  row  and  column  indices  corresponding  to  the  first  and 
second  characters  in  the  digram,  and  the  table  entries  being  the  ciphertext  digrams  substi- 
tuted for  the  plaintext  pairs.  There  are  then  (262)!  keys. 

7.51  Example  ( Playfair  cipher  - historical)  A digram  substitution  may  be  defined  by  arrang- 
ing the  characters  of  a 25 -letter  alphabet  (I  and  J are  equated)  in  a 5 x 5 matrix  M.  Adja- 
cent plaintext  characters  are  paired.  The  pair  (pi,P2)  is  replaced  by  the  digram  (c3,  c4 ) as 
follows.  If  pi  and  p2  are  in  distinct  rows  and  columns,  they  define  the  corners  of  a subma- 
trix (possibly  M itself),  with  the  remaining  corners  c3  and  c4 ; c3  is  defined  as  the  character 
in  the  same  column  as  p4.  If  p4  and  p->  are  in  a common  row,  c3  is  defined  as  the  charac- 
ter immediately  to  the  right  of  p4  and  c4  that  immediately  right  of  p->  (the  first  column  is 
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viewed  as  being  to  the  right  of  the  last).  If  pi  and  p->  are  in  the  same  column,  the  charac- 
ters immediately  (circularly)  below  them  are  C3  and  C4.  If  pi  = p-> , an  infrequent  plaintext 
character  (e.g.,  X ) is  inserted  between  them  and  the  plaintext  is  re-grouped.  While  crypt- 
analysis based  on  single  character  frequencies  fails  for  the  Playfair  cipher  (each  letter  may 
be  replaced  by  any  other),  cryptanalysis  employing  digram  frequencies  succeeds.  □ 

The  key  for  a Playfair  cipher  is  the  5x5  square.  A mnemonic  aid  may  be  used  to 
more  easily  remember  the  square.  An  example  is  the  use  of  a meaningful  keyphrase,  with 
repeated  letters  deleted  and  the  remaining  alphabet  characters  included  alphabetically  at  the 
end.  The  keyphrase  “PLAYFAIR  IS  A DIGRAM  CIPHER”  would  define  a square  with 
rows  PLAYF,  IRSDG,  MCHEB,  KNOQT,  VWXYZ.  To  avoid  the  trailing  characters  always 
being  from  the  end  of  the  alphabet,  a further  shift  cipher  (Example  7.48)  could  be  applied 
to  the  resulting  25-character  string. 

Use  of  keyphrases  may  seriously  reduce  the  key  space  entropy.  This  effect  is  reduced 
if  the  keyphrase  is  not  directly  written  into  the  square.  For  example,  the  non-repeated  key- 
phrase characters  might  be  written  into  an  8-column  rectangle  (followed  by  the  remaining 
alphabet  letters),  the  trailing  columns  being  incomplete.  The  25-character  string  obtained 
by  reading  the  columns  vertically  is  then  used  to  fill  the  5x5  square  row  by  row. 

7.52  Example  (Hill  cipher  - historical ) An  n- gram  substitution  may  be  defined  using  an  in- 
vertible n x n matrix  A = a,ij  as  the  key  to  map  an  n-character  plaintext  mi .. . mn  to  a 
ciphertext  n-gram  c,;  = Y^j= 1 aijmj > t = 1, . . . ,n.  Decryption  involves  using  A _1.  Here 
characters  A-Z,  for  example,  are  associated  with  integers  0-25.  This  polygram  substitution 
cipher  is  a linear  transformation,  and  falls  under  known-plaintext  attack.  □ 

(iii)  Homophonic  substitution 

The  idea  of  homophonic  substitution,  introduced  in  §1.5,  is  for  each  fixed  key  k to  asso- 
ciate with  each  plaintext  unit  (e.g.,  character)  m a set  S(k.  m)  of  potential  corresponding 
ciphertext  units  (generally  all  of  common  size).  To  encrypt  to  under  k,  randomly  choose 
one  element  from  this  set  as  the  ciphertext.  To  allow  decryption,  for  each  fixed  key  this 
one-to-many  encryption  function  must  be  injective  on  ciphertext  space.  Homophonic  sub- 
stitution results  in  ciphertext  data  expansion. 

In  homophonic  substitution,  \S(k.  to)  | should  be  proportional  to  the  frequency  of  to  in 
the  message  space.  The  motivation  is  to  smooth  out  obvious  irregularities  in  the  frequency 
distribution  of  ciphertext  characters,  which  result  from  irregularities  in  the  plaintext  fre- 
quency distribution  when  simple  substitution  is  used. 

While  homophonic  substitution  complicates  cryptanalysis  based  on  simple  frequency 
distribution  statistics,  sufficient  ciphertext  may  nonetheless  allow  frequency  analysis,  in 
conjunction  with  additional  statistical  properties  of  plaintext  manifested  in  the  ciphertext. 
For  example,  in  long  ciphertexts  each  element  of  S(k,  to)  will  occur  roughly  the  same  num- 
ber of  times.  Digram  distributions  may  also  provide  information. 

(iv)  Codes  vs.  ciphers 

A technical  distinction  is  made  between  ciphers  and  codes.  Ciphers  are  encryption  tech- 
niques which  are  applied  to  plaintext  units  (bits,  characters,  or  blocks)  independent  of  their 
semantic  or  linguistic  meaning;  the  result  is  called  ciphertext.  In  contrast,  cryptographic 
codes  operate  on  linguistic  units  such  as  words,  groups  of  words,  or  phrases,  and  substitute 
(replace)  these  by  designated  words,  letter  groups,  or  number  groups  called  codegroups. 
The  key  is  a dictionary-like  codebook  listing  plaintext  units  and  their  corresponding  code- 
groups, indexed  by  the  former;  a corresponding  codebook  for  decoding  is  reverse-indexed. 
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When  there  is  potential  ambiguity,  codes  in  this  context  (vs.  ciphers)  may  be  qualified 
as  cryptographic  codebooks , to  avoid  confusion  with  error-correcting  codes  (EC -codes) 
used  to  detect  and/or  correct  non-malicious  errors  and  authentication  codes  (A-codes,  or 
MACs  as  per  Definition  9.7)  which  provide  data  origin  authentication. 

Several  factors  suggest  that  codes  may  be  more  difficult  to  break  than  ciphers:  the  key 
(codebook)  is  vastly  larger  than  typical  cipher  keys;  codes  may  result  in  data  compression 
(cf.  Fact  7.71);  and  statistical  analysis  is  complicated  by  the  large  plaintext  unit  block  size 
(cf.  Note  7.74).  Opposing  this  are  several  major  disadvantages:  the  coding  operation  not 
being  easily  automated  (relative  to  an  algorithmic  mapping);  and  identical  encryption  of  re- 
peated occurrences  of  plaintext  units  implies  susceptibility  to  known-plaintext  attacks,  and 
allows  frequency  analysis  based  on  observed  traffic.  This  implies  a need  for  frequent  rekey- 
ing (changing  the  codebook),  which  is  both  more  costly  and  inconvenient.  Consequently, 
codes  are  not  commonly  used  to  secure  modern  telecommunications. 


7.3.3  Polyalphabetic  substitutions  and  Vigenere  ciphers 
(historical) 

A simple  substitution  cipher  involves  a single  mapping  of  the  plaintext  alphabet  onto  ci- 
phertext characters.  A more  complex  alternative  is  to  use  different  substitution  mappings 
(called  multiple  alphabets ) on  various  portions  of  the  plaintext.  This  results  in  so-called 
polyalphabetic  substitution  (also  introduced  in  Definition  1.30).  In  the  simplest  case,  the 
different  alphabets  are  used  sequentially  and  then  repeated,  so  the  position  of  each  plain- 
text character  in  the  source  string  determines  which  mapping  is  applied  to  it.  Under  different 
alphabets,  the  same  plaintext  character  is  thus  encrypted  to  different  ciphertext  characters, 
precluding  simple  frequency  analysis  as  per  mono-alphabetic  substitution  (§7.3.5). 

The  simple  Vigenere  cipher  is  a polyalphabetic  substitution  cipher,  introduced  in  Ex- 
ample 1.31.  The  definition  is  repeated  here  for  convenience. 

7.53  Definition  A simple  Vigenere  cipher  of  period  t,  over  an  .s-character  alphabet,  involves 

a /-character  key  k\h)  ■ ■ - kf  . The  mapping  of  plaintext  m = ...  to  ciphertext 

c = cic2c3  . . . is  defined  on  individual  characters  by  c,-  = m,-  + fc,  mod  s,  where  subscript 
i in  k,  is  taken  modulo  t (the  key  is  re-used). 

The  simple  Vigenere  uses  t shift  ciphers  (see  Example  7.48),  defined  by  t shift  values 
fcj,  each  specifying  one  of  .s  (mono-alphabetic)  substitutions;  k,  is  used  on  the  characters 
in  position  i,  i + s,  i + 2s,  ...  . In  general,  each  of  the  t substitutions  is  different;  this  is 
referred  to  as  using  t.  alphabets  rather  than  a single  substitution  mapping.  The  shift  cipher 
(Example  7.48)  is  a simple  Vigenere  with  period  t = 1. 

7.54  Example  {Beaufort  variants  of  Vigenere)  Compared  to  the  simple  Vigenere  mapping  c,  = 

to,;  + ki  mod  s,  the  Beaufort  cipher  has  c,j  = kj  — mi  mod  s,  and  is  its  own  inverse.  The 
variant  Beaufort  has  encryption  mapping  c,;  = to*  — k mod  s.  □ 

7.55  Example  ( compound  Vigenere)  The  compound  Vigenere  has  encryption  mapping  c,  = 

TOj  + (kj  + kj  + ■ ■ ■ + k\)  mod  s,  where  in  general  the  keys  kf  1 < j < r,  have  distinct 
periods  tj , and  the  subscript  i in  kj,  indicating  the  ith  character  of  kf  is  taken  modulo  tj. 
This  corresponds  to  the  sequential  application  of  r simple  Vigeneres,  and  is  equivalent  to  a 
simple  Vigenere  of  period  lcm(/i, .. . ,tr).  □ 
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7.56  Example  ( single  mixed  alphabet  Vigenere)  A simple  substitution  mapping  defined  by  a 

general  permutation  e (not  restricted  to  an  alphabetic  shift),  followed  by  a simple  Vigenere, 
is  defined  by  the  mapping  c,;  = e(raj)  + ki  mod  s,  with  inverse  m,;  = e 1 (cj  — ki)  mod  s. 
An  alternative  is  a simple  Vigenere  followed  by  a simple  substitution:  c*  = e (m,;  + fc,  mod 
s),  with  inverse  m*  = e-1(cj)  — ki  mod  s.  □ 

7.57  Example  (full  Vigenere ) In  a simple  Vigenere  of  period  t,  replace  the  mapping  defined  by 

the  shift  value  ki  (for  shifting  character  mf)  by  a general  permutation  e,  of  the  alphabet.  The 
result  is  the  substitution  mapping  a,  = where  the  subscript  i in  c,  is  taken  modulo 

t.  The  key  consists  of  / permutations  e1( . . . , et.  □ 

7.58  Example  ( running-key  Vigenere)  If  the  keystream  kj  of  a simple  Vigenere  is  as  long  as 

the  plaintext,  the  cipher  is  called  a running-key  cipher.  For  example,  the  key  may  be  mean- 
ingful text  from  a book.  □ 

While  running-key  ciphers  prevent  cryptanalysis  by  the  Kasiski  method  (§7.3.5),  if  the 
key  has  redundancy,  cryptanalysis  exploiting  statistical  imbalances  may  nonetheless  suc- 
ceed. For  example,  when  encrypting  plaintext  English  characters  using  a meaningful  text 
as  a running  key,  cryptanalysis  is  possible  based  on  the  observation  that  a significant  pro- 
portion of  ciphertext  characters  results  from  the  encryption  of  high-frequency  running  text 
characters  with  high-frequency  plaintext  characters. 

7.59  Fact  A running-key  cipher  can  be  strengthened  by  successively  enciphering  plaintext  un- 
der two  or  more  distinct  running  keys.  For  typical  English  plaintext  and  running  keys,  it 
can  be  shown  that  iterating  four  such  encipherments  appears  unbreakable. 

7.60  Definition  An  auto-key  cipher  is  a cipher  wherein  the  plaintext  itself  serves  as  the  key 
(typically  subsequent  to  the  use  of  an  initial  priming  key). 

7.61  Example  ( auto-key  Vigenere)  In  a running-key  Vigenere  (Example  7.58)  with  an  .s-char- 

acter  alphabet,  define  a priming  key  k = k\k%  ■ ■ - kt-  Plaintext  characters  m,  are  encrypted 
as  Ci  = rrij  + ki  mod  s for  1 < i < t (simplest  case:  t = 1).  For  i > t,  c,;  = (m,:  + 
rrii-t ) mod  .s.  An  alternative  involving  more  keying  material  is  to  replace  the  simple  shift 
by  a full  Vigenere  with  permutations  e,  , 1 < i < s,  defined  by  the  key  ki  or  character  to*: 
for  1 < i < t,  Ci  = Cki  (jrii),  and  for  i > t,  Ci  = em,  t (to*).  □ 

An  alternative  to  Example  7.61  is  to  auto-key  a cipher  using  the  resulting  ciphertext 
as  the  key:  for  example,  for  i > t,  Ci  = ( to*  + c*_4)  mod  s.  This,  however,  is  far  less 
desirable,  as  it  provides  an  eavesdropping  cryptanalyst  the  key  itself. 

7.62  Example  (Vernam  viewed  as  a Vigenere)  Consider  a simple  Vigenere  defined  by  c,  = 
m,  + ki  mod  s.  If  the  keystream  is  truly  random  and  independent  - as  long  as  the  plain- 
text and  never  repeated  (cf.  Example  7.58)  - this  yields  the  unconditionally  secure  Vernam 
cipher  ( Definition  1 .39;  §6. 1.1),  generalized  from  a binary  to  an  arbitrary  alphabet.  □ 


7.3.4  Polyalphabetic  cipher  machines  and  rotors  (historical) 

The  Jefferson  cylinder  is  a deceptively  simple  device  which  implements  a polyalphabetic 
substitution  cipher;  conceived  in  the  late  18th  century,  it  had  remarkable  cryptographic 
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strength  for  its  time.  Polyalphabetic  substitution  ciphers  implemented  by  a class  of  rotor- 
based  machines  were  the  dominant  cryptographic  tool  in  World  War  II.  Such  machines,  in- 
cluding the  Enigma  machine  and  those  of  Hagelin,  have  an  alphabet  which  changes  con- 
tinuously for  a very  long  period  before  repeating;  this  provides  protection  against  Kasiski 
analysis  and  methods  based  on  the  index  of  coincidence  (§7.3.5). 

(i)  Jefferson  cylinder 

The  Jefferson  cylinder  (Figure  7.3)  implements  a polyalphabetic  substitution  cipher  while 
avoiding  complex  machinery,  extensive  user  computations,  and  Vigenere  tableaus.  A solid 
cylinder  6 inches  long  is  sliced  into  36  disks.  A rod  inserted  through  the  cylinder  axis  allows 
the  disks  to  rotate.  The  periphery  of  each  disk  is  divided  into  26  parts.  On  each  disk,  the 
letters  A-Z  are  inscribed  in  a ( different)  random  ordering.  Plaintext  messages  are  encrypted 
in  36-character  blocks.  A reference  bar  is  placed  along  the  cylinder’s  length.  Each  of  the 
36  wheels  is  individually  rotated  to  bring  the  appropriate  character  (matching  the  plaintext 
block)  into  position  along  the  reference  line.  The  25  other  parallel  reference  positions  then 
each  define  a ciphertext,  from  which  (in  an  early  instance  of  randomized  encryption)  one  is 
selected  as  the  ciphertext  to  transmit. 
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Figure  7.3:  The  Jefferson  cylinder. 


The  second  party  possesses  a cylinder  with  identically  marked  and  ordered  disks  (1- 
36).  The  ciphertext  is  decrypted  by  rotating  each  of  the  36  disks  to  obtain  characters  along 
a fixed  reference  line  matching  the  ciphertext.  The  other  25  reference  positions  are  exam- 
ined for  a recognizable  plaintext.  If  the  original  message  is  not  recognizable  (e.g.,  random 
data),  both  parties  agree  beforehand  on  an  index  1 through  25  specifying  the  offset  between 
plaintext  and  ciphertext  lines. 

To  accommodate  plaintext  digits  0-9  without  extra  disk  sections,  each  digit  is  per- 
manently assigned  to  one  of  10  letters  (a,e,i,o,u,y  and  f,l,r,s)  which  is  encrypted  as  above 
but  annotated  with  an  overhead  dot,  identifying  that  the  procedure  must  be  reversed.  Re- 
ordering disks  ( 1 through  36)  alters  the  polyalphabetic  substitution  key.  The  number  of  pos- 
sible orderings  is  36!  « 3.72  x 1041.  Changing  the  ordering  of  letters  on  each  disk  affords 
25!  further  mappings  (per  disk),  but  is  more  difficult  in  practice. 

(ii)  Rotor-based  machines  - technical  overview 

A simplified  generic  rotor  machine  (Figure  7.4)  consists  of  a number  of  rotors  ( wired  code- 
wheels) each  implementing  a different  fixed  mono-alphabetic  substitution,  mapping  a char- 
acter at  its  input  face  to  one  on  its  output  face.  A plaintext  character  input  to  the  first  rotor 
generates  an  output  which  is  input  to  the  second  rotor,  and  so  on,  until  the  final  ciphertext 
character  emerges  from  the  last.  For  fixed  rotor  positions,  the  bank  of  rotors  collectively 
implements  a mono-alphabetic  substitution  which  is  the  composition  of  the  substitutions 
defined  by  the  individual  rotors. 

To  provide  polyalphabetic  substitution,  the  encipherment  of  each  plaintext  character 
causes  various  rotors  to  move.  The  simplest  case  is  an  odometer-like  movement,  with  a 
single  rotor  stepped  until  it  completes  a full  revolution,  at  which  time  it  steps  the  adjacent 
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rotor  one  position,  and  so  on.  Stepping  a rotor  changes  the  mono-alphabetic  substitution 
it  defines  (the  active  mapping).  More  precisely,  each  rotor  R,  effects  a mono-alphabetic 
substitution  /,;.  R,  can  rotate  into  R positions  (e.g.,  R = 26).  When  offset  j places  from  a 
reference  setting,  Ri  maps  input  a to  /,  (o  — j ) + j,  where  both  the  input  to  /,:  and  the  final 
output  are  reduced  mod  26. 

The  cipher  key  is  defined  by  the  mono-alphabetic  substitutions  determined  by  the  fixed 
wheel  wirings  and  initial  rotor  positions.  Re-arranging  the  order  of  rotors  provides  addi- 
tional variability.  Providing  a machine  with  more  rotors  than  necessary  for  operation  at 
any  one  time  allows  further  keying  variation  (by  changing  the  active  rotors). 

7.63  Fact  Two  properties  of  rotor  machines  desirable  for  security-related  reasons  are:  (l  )long 
periods;  and  (2)  state  changes  which  are  almost  all  “large”. 

The  second  property  concerns  the  motion  of  rotors  relative  to  each  other,  so  that  the 
sub-mappings  between  rotor  faces  change  when  the  state  changes.  Rotor  machines  with 
odometer-like  state  changes  fail  to  achieve  this  second  property. 

7.64  Note  ( rotor  machine  output  methods)  Rotor  machines  were  categorized  by  their  method  of 
providing  ciphertext  output.  In  indicating  machines,  ciphertext  output  characters  are  indi- 
cated by  means  such  as  lighted  lamps  or  displayed  characters  in  output  apertures.  In  print- 
ing machines,  ciphertext  is  printed  or  typewritten  onto  an  output  medium  such  as  paper. 
With  on-line  machines,  output  characters  are  produced  in  electronic  form  suitable  for  di- 
rect transmission  over  telecommunications  media. 

(iii)  Rotor-based  machines  - historical  notes 

A number  of  individuals  are  responsible  for  the  development  of  early  machines  based  on  ro- 
tor principles.  In  19 1 8,  the  American  E.H.  Hebern  built  the  first  rotor  apparatus,  based  on  an 
earlier  typewriting  machine  modified  with  wired  connections  to  generate  a mono-alphabetic 
substitution.  The  output  was  originally  by  lighted  indicators.  The  first  rotor  patent  was  filed 
in  1921,  the  year  Hebern  Electric  Code,  Inc.  became  the  first  U.S.  cipher  machine  company 
(and  first  to  bankrupt  in  1926).  The  U.S.  Navy  (circa  1929-1930  and  some  years  thereafter) 
used  a number  of  Hebern's  five-rotor  machines. 

In  October  1919,  H.A.  Koch  filed  Netherlands  patent  no. 10,700  (“Geheimschrijfma- 
chine”  - secret  writing  machine),  demonstrating  a deep  understanding  of  rotor  principles; 
no  machine  was  built.  In  1927,  the  patent  rights  were  assigned  to  A.  Scherbius. 

The  German  inventor  Scherbius  built  a rotor  machine  called  the  Enigma.  Model  A was 
replaced  by  Model  B with  typewriter  output,  and  a portable  Model  C with  indicator  lamps. 
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The  company  set  up  in  1923  dissolved  in  1934,  but  thereafter  the  Germans  used  the  portable 
battery-powered  Enigma,  including  for  critical  World  War  II  operations. 

In  October  1919,  three  days  after  Koch,  A.G.  Damm  filed  Swedish  patent  no. 52, 279  de- 
scribing a double -rotor  device.  His  firm  was  joined  by  the  Swede,  B.  Hagelin,  whose  1925 
modification  yielded  the  B-21  rotor  machine  (with  indicating  lamps)  used  by  the  Swedish 
army.  The  B-21  had  keywheels  with  varying  number  of  teeth  or  gears,  each  of  which  was 
associated  with  a settable  two-state  pin.  The  period  of  the  resulting  polyalphabetic  substi- 
tution was  the  product  of  the  numbers  of  keywheel  pins;  the  key  was  defined  by  the  state  of 
each  pin  and  the  initial  keywheel  positions.  Hagelin  later  produced  other  models:  B-21 1 (a 
printing  machine);  a more  compact  (phone-sized)  model  C-36  for  the  French  in  1934;  and 
based  on  alterations  suggested  by  Friedman  and  others,  model  C-48  (of  which  over  140  000 
were  produced)  which  was  called  M-209  when  used  by  the  U.S.  Army  as  a World  War  II 
field  cipher.  His  1948  Swiss  factory  later  produced:  model  C-52,  a strengthened  version  of 
M-209  (C-48)  with  period  exceeding  2.75  x 109  (with  keywheels  of  47,  43,  41,  37,  31,  29 
pins);  CD-55,  a pocket-size  version  of  the  C-52;  and  T-55,  an  on-line  version  of  the  same, 
modifiable  to  use  a one-time  tape.  A further  model  was  CD-57. 

7.65  Note  ( Enigma  details ) The  Enigma  initially  had  three  rotors  Rr,  each  with  26  positions. 
Ri  stepped  J?2  which  stepped  R3  odometer-like,  with  R->  also  stepping  itself;  the  period  was 
26  • 25  • 26  « 17  000.  The  key  consisted  of  the  initial  positions  of  these  rotors  («  17  000 
choices),  their  order  (3!  = 6 choices),  and  the  state  of  a plugboard,  which  implemented 
a fixed  but  easily  changed  (e.g.,  manually,  every  hour)  mono-alphabetic  substitution  (26! 
choices),  in  addition  to  that  carried  out  by  rotor  combinations. 

7.66  Note  ( Hagelin  M-209  details ) The  Hagelin  M-209  rotor  machine  implements  a polyalpha- 

betic substitution  using  6 keywheels  - more  specifically,  a self-decrypting  Beaufort  cipher 
(Example  7.54),  (m,)  = fc,  — to*  mod  26, of  period  101  405  850  = 26-25-23-21-19-17 

letters.  Thus  for  a fixed  ordered  set  of  6 keywheels,  the  cipher  period  exceeds  108.  k,  may 
be  viewed  as  the  ith  character  in  the  key  stream,  as  determined  by  a particular  ordering  of 
keywheels,  their  pin  settings,  and  starting  positions.  All  keywheels  rotate  one  position  for- 
ward after  each  character  is  enciphered.  The  wheels  simultaneously  return  to  their  initial 
position  only  after  a period  equal  to  the  least-common-multiple  of  their  gear-counts,  which 
(since  these  are  co-prime)  is  their  product.  A ciphertext-only  attack  is  possible  with  1000- 
2000  characters,  using  knowledge  of  the  machine's  internal  mechanical  details,  and  assum- 
ing natural  language  redundancy  in  the  plaintext;  a known-plaintext  attack  is  possible  with 
50-100  characters. 


7.3.5  Cryptanalysis  of  classical  ciphers  (historical) 

This  section  presents  background  material  on  redundancy  and  unicity  distance,  and  tech- 
niques for  cryptanalysis  of  classical  ciphers, 

(i)  Redundancy 

All  natural  languages  are  redundant.  This  redundancy  results  from  linguistic  structure.  For 
example,  in  English  the  letter  “E”  appears  far  more  frequently  than  “Z”,  “Q”  is  almost  al- 
ways followed  by  “U”,  and  “TH”  is  a common  digram. 

An  alphabet  with  26  characters  (e.g.,  Roman  alphabet)  can  theoretically  carry  up  to 
lg  26  = 4.7  bits  of  information  per  character.  Fact  7.67  indicates  that,  on  average,  far  less 
information  is  actually  conveyed  by  a natural  language. 
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7.67  Fact  The  estimated  average  amount  of  information  carried  per  character  (per-character  en- 
tropy) in  meaningful  English  alphabetic  text  is  1.5  bits. 

The  per-character  redundancy  of  English  is  thus  about  4.7  — 1.5  = 3.2  bits. 

7.68  Fact  Empirical  evidence  suggests  that,  for  essentially  any  simple  substitution  cipher  on  a 
meaningful  message  (e.g.,  with  redundancy  comparable  to  English),  as  few  as  25  ciphertext 
characters  suffices  to  allow  a skilled  cryptanalyst  to  recover  the  plaintext. 

(ii)  Unicity  distance  and  random  cipher  model 

7.69  Definition  The  unicity  distance  of  a cipher  is  the  minimum  amount  of  ciphertext  (number 
of  characters)  required  to  allow  a computationally  unlimited  adversary  to  recover  the  unique 
encryption  key. 

The  unicity  distance  is  primarily  a theoretical  measure,  useful  in  relation  to  uncondi- 
tional security.  A small  unicity  distance  does  not  necessarily  imply  that  a block  cipher  is 
insecure  in  practice.  For  example,  consider  a 64-bit  block  cipher  with  a unicity  distance 
of  two  ciphertext  blocks.  It  may  still  be  computationally  infeasible  for  a cryptanalyst  (of 
reasonable  but  bounded  computing  power)  to  recover  the  key,  although  theoretically  there 
is  sufficient  information  to  allow  this. 

The  random  cipher  model  (Definition  7.70)  is  a simplified  model  of  a block  cipher  pro- 
viding a reasonable  approximation  for  many  purposes,  facilitating  results  on  block  cipher 
properties  not  otherwise  easily  established  (e.g..  Fact  7.71). 

7.70  Definition  Let  C and  K be  random  variables,  respectively,  denoting  the  ciphertext  block 
and  the  key,  and  let  D denote  the  decryption  function.  Under  the  random  cipher  model, 
Dk  ( C ) is  a random  variable  uniformly  distributed  over  all  possible  pre-images  of  C (mean- 
ingful messages  and  otherwise,  with  and  without  redundancy). 

In  an  intuitive  sense,  a random  cipher  as  per  the  model  of  Definition  7.70  is  a random 
mapping.  (A  more  precise  approximation  would  be  as  a random  permutation.) 

7.71  Fact  Under  the  random  cipher  model,  the  expected  unicity  distance  Nq  of  a cipher  is  No  = 
H (K.) / D,  where  H (1C)  is  the  entropy  of  the  key  space  (e.g.,  64  bits  for  264  equiprobable 
keys),  and  D is  the  plaintext  redundancy  (in  bits/character). 

For  a one-time  pad,  the  unbounded  entropy  of  the  key  space  implies,  by  Fact  7.71,  that 
the  unicity  distance  is  likewise  unbounded.  This  is  consistent  with  the  one-time  pad  being 
theoretically  unbreakable. 

Data  compression  reduces  redundancy.  Fact  7.71  implies  that  data  compression  prior 
to  encryption  increases  the  unicity  distance,  thus  increasing  security.  If  the  plaintext  con- 
tains no  redundancy  whatsoever,  then  the  unicity  distance  is  infinite;  that  is,  the  system  is 
theoretically  unbreakable  under  a ciphertext-only  attack. 

7.72  Example  ( unicity  distance  - transposition  cipher)  The  unicity  distance  of  a simple  trans- 

position cipher  of  period  t can  be  estimated  under  the  random  cipher  model  using  Fact  7.71, 
and  the  assumption  of  plaintext  redundancy  of  D = 3.2  bits/character.  In  this  case, 
H(IC)/D  = lg(f!)/3.2  and  for  t = 12  the  estimated  unicity  distance  is  9 characters, 
which  is  very  crude,  this  being  less  than  one  12-character  block.  For  t = 27,  the  esti- 
mated unicity  distance  is  a more  plausible  29  characters;  this  can  be  computed  using  Stir- 
ling’s approximation  of  Fact  2.57(iii)  (f!  « '27r f(f/e)*,  for  large  t and  e = 2.718)  as 

H(JC)/D  = lg(f!)/3.2  «■  (0.3i)  • lg (i/e).  □ 
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7.73  Example  ( unicity  distance  - simple  substitution ) The  number  of  keys  for  a mono-alphab- 
etic substitution  cipher  over  alphabet  A is  |/C|  = s!,  where  s = |.4.|.  For  example,  s = 26 
(Roman  alphabet)  yields  26!  w 4x  1026  keys.  Assuming  equiprobable  keys,  an  estimate  of 
the  entropy  of  the  key  space  is  then  (cf.  Example  7.72)  iT(/C)  = lg(26!)  ~ 88.4  bits.  As- 
suming English  text  with  D = 3.2  bits  of  redundancy  per  character  (Fact  7.67),  a theoretical 
estimate  of  the  unicity  distance  of  a simple  substitution  cipher  is  H (K) / D = 88.4/3.2  « 
28  characters.  This  agrees  closely  with  empirical  evidence  (Fact  7.68).  □ 

(iii)  Language  statistics 

Cryptanalysis  of  classical  ciphers  typically  relies  on  redundancy  in  the  source  language 
(plaintext).  In  many  cases  a divide-and-conquer  approach  is  possible,  whereby  the  plaintext 
or  key  is  recovered  piece  by  piece,  each  facilitating  further  recovery. 

Mono-alphabetic  substitution  on  short  plaintext  blocks  (e.g.,  Roman  alphabet  char- 
acters) is  easily  defeated  by  associating  ciphertext  characters  with  plaintext  characters 
(Note  7.50).  The  frequency  distribution  of  individual  ciphertext  characters  can  be  compared 
to  that  of  single  characters  in  the  source  language,  as  given  by  Figure  7.5  (estimated  from 
1964  English  text).  This  is  facilitated  by  grouping  plaintext  letters  by  frequency  into  high, 
medium,  low,  and  rare  classes;  focussing  on  the  high-frequency  class,  evidence  support- 
ing trial  letter  assignments  can  be  obtained  by  examining  how  closely  hypothesized  assign- 
ments match  those  of  the  plaintext  language.  Further  evidence  is  available  by  examination 
of  digram  and  trigram  frequencies.  Figure  7.6  gives  the  most  common  English  digrams  as 
a percentage  of  all  digrams;  note  that  of  262  = 676  possible  digrams,  the  top  15  account  for 
27%  of  all  occurrences.  Other  examples  of  plaintext  redundancy  appearing  in  the  cipher- 
text  include  associations  of  vowels  with  consonants,  and  repeated  letters  in  pattern  words 
(e.g.,  “that”,  “soon”,  “three”). 


Figure  7.5:  Frequency  of  single  characters  in  English  text. 


7.74  Note  ( large  blocks  preclude  statistical  analysis)  An  ?r-bit  block  size  implies  2"  plaintext 
units  (“characters”).  Compilation  of  frequency  statistics  on  plaintext  units  thus  becomes 
infeasible  as  the  block  size  of  the  simple  substitution  increases;  for  example,  this  is  clearly 
infeasible  for  DES  (§7.4),  where  n = 64. 
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Cryptanalysis  of  simple  transposition  ciphers  is  similarly  facilitated  by  source  language 
statistics  (see  Note  7.47).  Cryptanalyzing  transposed  blocks  resembles  solving  an  anagram. 
Attempts  to  reconstruct  common  digrams  and  trigrams  are  facilitated  by  frequency  statis- 
tics. Solutions  may  be  constructed  piecewise,  with  the  appearance  of  digrams  and  trigrams 
in  trial  decryptions  confirming  (partial)  success. 


Figure  7.6:  Frequency  of  15  common  digrams  in  English  text. 


Cryptanalysis  of  polyalphabetic  ciphers  is  possible  by  various  methods,  including  Ka- 
siski’s  method  and  methods  based  on  the  index  of  coincidence,  as  discussed  below. 

(iv)  Method  of  Kasiski  (vs.  polyalphabetic  substitution) 

Kasiski’s  method  provides  a general  technique  for  cryptanalyzing  polyalphabetic  ciphers 
with  repeated  keywords,  such  as  the  simple  Vigenere  cipher  (Definition  7.53),  based  on  the 
following  observation:  repeated  portions  of  plaintext  encrypted  with  the  same  portion  of 
the  keyword  result  in  identical  ciphertext  segments.  Consequently  one  expects  the  num- 
ber of  characters  between  the  beginning  of  repeated  ciphertext  segments  to  be  a multiple  of 
the  keyword  length.  Ideally,  it  suffices  to  compute  the  greatest  common  divisor  of  the  var- 
ious distances  between  such  repeated  segments,  but  coincidental  repeated  ciphertext  seg- 
ments may  also  occur.  Nonetheless,  an  analysis  ( Kasiski  examination ) of  the  common  fac- 
tors among  all  such  distances  is  possible;  the  largest  factor  which  occurs  most  commonly 
is  the  most  likely  keyword  length.  Repeated  ciphertext  segments  of  length  4 or  longer  are 
most  useful,  as  coincidental  repetitions  are  then  less  probable. 

The  number  of  letters  in  the  keyword  indicates  the  number  of  alphabets  t in  the  polyal- 
phabetic substitution.  Ciphertext  characters  can  then  be  partitioned  into  t sets,  each  of 
which  is  then  the  result  of  a mono-alphabetic  substitution.  Trial  values  for  t are  confirmed 
if  the  frequency  distribution  of  the  (candidate)  mono-alphabetic  groups  matches  the  fre- 
quency distribution  of  the  plaintext  language.  For  example,  the  profile  for  plaintext  English 
(Figure  7.5)  exhibits  a long  trough  characterizing  uvwxyz , followed  by  a spike  at  a,  and 
preceded  by  the  triple-peak  of  rst . The  resulting  mono-alphabetic  portions  can  be  solved  in- 
dividually, with  additional  information  available  by  combining  their  solution  (based  on  di- 
grams, probable  words,  etc.).  If  the  source  language  is  unknown,  comparing  the  frequency 
distribution  of  ciphertext  characters  to  that  of  candidate  languages  may  allow  determination 
of  the  source  language  itself. 

(v)  Index  of  coincidence  (vs.  polyalphabetic  substitution) 

The  index  of  coincidence  ( IC)  is  a measure  of  the  relative  frequency  of  letters  in  a cipher- 
text  sample,  which  facilitates  cryptanalysis  of  polyalphabetic  ciphers  by  allowing  determi- 
nation of  the  period  t (as  an  alternative  to  Kasiski’s  method).  For  concreteness,  consider  a 
Vigenere  cipher  and  assume  natural  language  English  plaintext. 
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Let  the  ciphertext  alphabet  be  {oo,  a-L. . . . , <in  i},  and  \ctp,  be  the  unknown  probabil- 
ity that  an  arbitrarily  chosen  character  in  a random  ciphertext  is  a, . The  measure  of  rough- 
ness measures  the  deviation  of  ciphertext  characters  from  a flat  frequency  distribution  as 
follows: 


MR  = 


n—  1 


1 

n 


(7.1) 


The  minimum  value  is  MRm;n  = 0,  corresponding  to  a flat  distribution  (for  equiprobable 
a.j,  pi  = 1/ n).  The  maximum  value  occurs  when  the  frequency  distribution  of  p,  has  great- 
est variability,  corresponding  to  a mono-alphabetic  substitution  ( the  plaintext  frequency  dis- 
tribution is  then  manifested).  Define  this  maximum  value  MRmax  — np  l/n,  where  kp 
corresponds  to  when  p,-  are  plaintext  frequencies.  For  English  as  per  Figure  7.5,  the 

maximum  value  is  MR  = kp  — l/n  « 0.0658  — 0.0385  = 0.0273.  (This  varies  with  letter 
frequency  estimates;  np  = 0.0667,  yielding  kp  — l/n  = 0.0282  is  commonly  cited,  and  is 
used  in  Table  7.1.)  While  MR  cannot  be  computed  directly  from  a ciphertext  sample  (since 
the  period  t is  unknown,  the  mono-alphabetic  substitutions  cannot  be  separated),  it  may  be 
estimated  from  the  frequency  distribution  of  ciphertext  characters  as  follows. 

Let  fi  denote  the  number  of  appearances  of  a,  in  an  L-character  ciphertext  sample  ( thus 
fi  = L).  The  number  of  pairs  of  letters  among  these  L is  L(L  — l)/2,  of  which  /,  (/,;  — 
l)/2  are  the  pair  (a., . a,)  for  any  fixed  character  a,.  Define  IC  as  the  probability  that  two 
characters  arbitrarily  chosen  from  the  given  ciphertext  sample  are  equal: 


_ sr.1  (i)  = e ".'n1 /,(/.-!> 

(f) 


Independent  of  this  given  ciphertext  sample,  the  probability  that  two  randomly  chosen  ci- 
phertext characters  are  equal  is  Yl’i=o  Pi2-  Thus  (comparing  word  definitions)  IC  is  an  esti- 
mate of  'ffpi2,  and  by  equation  (7.1),  thereby  an  estimate  of  MR  + l/n.  Moreover,  IC  can 
be  directly  computed  from  a ciphertext  sample,  allowing  estimation  of  MR  itself.  Since 
MR  varies  from  0 to  np  — 1 /n,  one  expects  IC  to  range  from  1 /n  (for  polyalphabetic  sub- 
stitution with  infinite  period)  to  kp  (for  mono-alphabetic  substitution).  More  precisely,  the 
following  result  may  be  established. 


7.75  Fact  For  a polyalphabetic  cipher  of  period  t,  E( IC)  as  given  below  is  the  expected  value 
of  the  index  of  coincidence  for  a ciphertext  string  of  length  L , where  n is  the  number  of 
alphabet  characters,  nr  = 1 /n,  and  np  is  given  in  Table  7.1: 

t-  1 L 

■ np  H — ■ — - ■ Kr  (7.3) 

(p  in  kp  is  intended  to  denote  a plaintext  frequency  distribution,  while  the  r in  nr  denotes  a 
distribution  for  random  characters.)  For  Roman-alphabet  languages,  n = 26  implies  nr  — 
0.03846;  for  the  Russian  Cyrillic  alphabet,  n = 30. 


£(IC)  = 


1 L-t 


t L 1 


7.76  Example  ( estimating  polyalphabetic  period  using  IC)  Tabulating  the  expected  values  for 
IC  for  periods  t — 1,2,...  using  Equation  (7.3)  (which  is  essentially  independent  of  L 
for  large  L and  small  t),  and  comparing  this  to  that  obtained  from  a particular  ciphertext 
using  Equation  (7.2)  allows  a crude  estimate  of  the  period  t of  the  cipher,  e.g.,  whether  it  is 
mono-alphabetic  or  polyalphabetic  with  small  period.  Candidate  values  t in  the  range  thus 
determined  may  be  tested  for  correctness  by  partitioning  ciphertext  characters  into  groups 
of  letters  separated  by  t ciphertext  positions,  and  in  one  or  more  such  groups,  comparing 
the  character  frequency  distribution  to  that  of  plaintext.  □ 


Handbook  of  Applied  Cryptography  by  A.  Menezes,  P.  van  Oorschot  and  S.  Vanstone. 


250 


Ch.  7 Block  Ciphers 


Language 

Kp 

French 

0.0778 

Spanish 

0.0775 

German 

0.0762 

Italian 

0.0738 

English 

0.0667 

Russian 

0.0529 

Table  7. 1 : Estimated  roughness  constant  nv  for  various  languages  ( see  Fact  7. 75 ). 


A polyalphabetic  period  t may  be  determined  either  by  Example  7.76  or  the  alternative 
of  Example  7.77,  based  on  the  same  underlying  ideas.  Once  t is  determined,  the  situation 
is  as  per  after  successful  completion  of  the  Kasiski  method. 

7.77  Example  ( determining  period  by  ciphertext  auto-correlation)  Given  a sample  of  polyal- 
phabetic ciphertext,  the  unknown  period  t may  be  determined  by  examining  the  number  of 
coincidences  when  the  ciphertext  is  auto-correlated.  More  specifically,  given  a ciphertext 
sample  C1C2  . . . c^,  starting  with  t = 1,  count  the  total  number  of  occurrences  c;  = Cj+t  for 
1 < i < L — t.  Repeat  for  t = 2,  3, . . . and  tabulate  the  counts  (or  plot  a bar  graph).  The 
actual  period  t*  is  revealed  as  follows:  for  values  t that  are  a multiple  of  t* , the  counts  will 
be  noticeably  higher  (easily  recognized  as  spikes  on  the  bar  graph).  In  fact,  for  L appro- 
priately large,  one  expects  approximately  L ■ np  coincidences  in  this  case,  and  significantly 
fewer  in  other  cases.  □ 

In  the  auto-correlation  method  of  coincidences  of  Example  7.77,  the  spikes  on  the  bar 
graph  reveal  the  period,  independent  of  the  source  language.  Once  the  period  is  determined, 
ciphertext  characters  from  like  alphabets  can  be  grouped,  and  the  profile  of  single-character 
letter  frequencies  among  these,  which  differs  for  each  language,  may  be  used  to  determine 
the  plaintext  language. 


7.4  DES 

The  Data  Encryption  Standard  (DES)  is  the  most  well-known  symmetric-key  block  cipher. 
Recognized  world-wide,  it  set  a precedent  in  the  mid  1970s  as  the  first  commercial-grade 
modern  algorithm  with  openly  and  fully  specified  implementation  details.  It  is  defined  by 
the  American  standard  FIPS  46-2. 


7.4.1  Product  ciphers  and  Feistel  ciphers 

The  design  of  DES  is  related  to  two  general  concepts:  product  ciphers  and  Feistel  ciphers. 
Each  involves  iterating  a common  sequence  or  round  of  operations. 

The  basic  idea  of  a product  cipher  (see  §1.5.3)  is  to  build  a complex  encryption  func- 
tion by  composing  several  simple  operations  which  offer  complementary,  but  individually 
insufficient,  protection  (note  cascade  ciphers  per  Definition  7.29  use  independent  keys).  Ba- 
sic operations  include  transpositions,  translations  (e.g.,  XOR)  and  linear  transformations, 
arithmetic  operations,  modular  multiplication,  and  simple  substitutions. 
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7.78  Definition  A product  cipher  combines  two  or  more  transformations  in  a manner  intending 
that  the  resulting  cipher  is  more  secure  than  the  individual  components. 

7.79  Definition  A substitution-permutation  (SP)  network  is  a product  cipher  composed  of  a 
number  of  stages  each  involving  substitutions  and  permutations  (Figure  7.7). 


Figure  7.7 : Substitution-permutation  (SP)  network. 

Many  SP  networks  are  iterated  ciphers  as  per  Definition  7.80. 

7.80  Definition  An  iterated  block  cipher  is  a block  cipher  involving  the  sequential  repetition  of 
an  internal  function  called  a round  function.  Parameters  include  the  number  of  rounds  r,  the 
block  bitsize  n,  and  the  bitsize  k of  the  input  key  K from  which  r subkeys  Ki  (round  keys) 
are  derived.  For  invertibility  ( allowing  unique  decryption),  for  each  value  Ki  the  round 
function  is  a bijection  on  the  round  input. 

7.81  Definition  A Feistel  cipher  is  an  iterated  cipher  mapping  a 2<-bit  plaintext  (La.  Rq),  for 
i-bit  blocks  Lq  and  Rq,  to  a ciphertext  (Rr.  Lr  ),  through  an  r -round  process  where  r > 1. 

For  1 i round  i maps  (L;  \ . R,  2 ) — i { L, . / 1 , ) as  follows!  L;  — R;  1 , R;  — 
(Ri-i , K),  where  each  subkey  Ki  is  derived  from  the  cipher  key  K. 

Typically  in  a Feistel  cipher,  r > 3 and  often  is  even.  The  Feistel  structure  specifically 
orders  the  ciphertext  output  as  ( Rr , Lr)  rather  than  (Lr,  Rr ) ; the  blocks  are  exchanged 
from  their  usual  order  after  the  last  round.  Decryption  is  thereby  achieved  using  the  same 
r-round  process  but  with  subkeys  used  in  reverse  order,  Kr  through  K\ ; for  example,  the 
last  round  is  undone  by  simply  repeating  it  (see  Note  7.84).  The  / function  of  the  Feistel 
cipher  may  be  a product  cipher,  though  / itself  need  not  be  invertible  to  allow  inversion  of 
the  Feistel  cipher. 

Figure  7.9(b)  illustrates  that  successive  rounds  of  a Feistel  cipher  operate  on  alternat- 
ing halves  of  the  ciphertext,  while  the  other  remains  constant.  Note  the  round  function  of 
Definition  7.81  may  also  be  re-written  to  eliminate  Lp.  Ri  = R,  -iRfiRi  l-  Ki).  In  this 
case,  the  final  ciphertext  output  is  (Rr,  Rr- 1),  with  input  labeled  (R—i,  Ro). 
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7.4.2  DES  algorithm 

DES  is  a Feistel  cipher  which  processes  plaintext  blocks  of  n = 64  bits,  producing  64-bit 
ciphertext  blocks  (Figure  7.8).  The  effective  size  of  the  secret  key  K is  k = 56  bits;  more 
precisely,  the  input  key  K is  specified  as  a 64-bit  key,  8 bits  of  which  (bits  8, 16, . . . , 64) 
may  be  used  as  parity  bits.  The  256  keys  implement  (at  most)  256  of  the  264!  possible  Injec- 
tions on  64-bit  blocks.  A widely  held  belief  is  that  the  parity  bits  were  introduced  to  reduce 
the  effective  key  size  from  64  to  56  bits,  to  intentionally  reduce  the  cost  of  exhaustive  key 
search  by  a factor  of  256. 


K 


K 


64 


' 56 


DES 


plaintext  P 
ciphertext  C 
key  K 


56 


64 


DES- 


Figure  7.8:  DES  input-output. 


Full  details  of  DES  are  given  in  Algorithm  7.82  and  Figures  7.9  and  7.10.  An  overview 
follows.  Encryption  proceeds  in  16  stages  or  rounds.  From  the  input  key  K,  sixteen  48-bit 
subkeys  Ki  are  generated,  one  for  each  round.  Within  each  round,  8 fixed,  carefully  selected 
6-to-4  bit  substitution  mappings  ( S-boxes ) Si,  collectively  denoted  S,  are  used.  The  64-bit 
plaintext  is  divided  into  32-bit  halves  Lq  and  Rq.  Each  round  is  functionally  equivalent, 
taking  32-bit  inputs  L,  j and  R,  i from  the  previous  round  and  producing  32-bit  outputs 
Li  and  P,  for  1 < i < 16,  as  follows: 

Li  = Ri-\\  (7.4) 

Ri  = Li _!  © f(Ri^,  Ki),  where  /(J2i_1,  Kt)  = © *©)( 7.5) 

Here  E is  a fixed  expansion  permutation  mapping  R,  i from  32  to  48  bits  (all  bits  are  used 
once;  some  are  used  twice).  P is  another  fixed  permutation  on  32  bits.  An  initial  bit  per- 
mutation (IP)  precedes  the  first  round;  following  the  last  round,  the  left  and  right  halves  are 
exchanged  and,  finally,  the  resulting  string  is  bit-permuted  by  the  inverse  of  IP.  Decryption 
involves  the  same  key  and  algorithm,  but  with  subkeys  applied  to  the  internal  rounds  in  the 
reverse  order  (Note  7.84). 

A simplified  view  is  that  the  right  half  of  each  round  (after  expanding  the  32-bit  input 
to  8 characters  of  6 bits  each)  carries  out  a key-dependent  substitution  on  each  of  8 charac- 
ters, then  uses  a fixed  bit  transposition  to  redistribute  the  bits  of  the  resulting  characters  to 
produce  32  output  bits. 

Algorithm  7.83  specifies  how  to  compute  the  DES  round  keys  Ki,  each  of  which  con- 
tains 48  bits  of  K.  These  operations  make  use  of  tables  PCI  and  PC2  of  Table  7.4,  which 
are  called  permuted  choice  1 and  permuted  choice  2.  To  begin,  8 bits  (fcg,  k±Q, . . . , k^)  of 
K are  discarded  (by  PCI).  The  remaining  56  bits  are  permuted  and  assigned  to  two  28-bit 
variables  C and  D;  and  then  for  16  iterations,  both  C and  D are  rotated  either  1 or  2 bits, 
and  48  bits  (Ki)  are  selected  from  the  concatenated  result. 
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7.82  Algorithm  Data  Encryption  Standard  (DES) 

INPUT:  plaintext  mi . . . me4\  64-bit  key  K = k\ . . . ke4  (includes  8 parity  bits). 

OUTPUT:  64-bit  ciphertext  block  C = ci . . . c64.  (For  decryption,  see  Note  7.84.) 

1.  (key  schedule)  Compute  sixteen  48-bit  round  keys  K,  from  K using  Algorithm  7.83. 

2.  (To,  Ra)  <—  IP(toiTO2  . . . me4).  (Use  IP  from  Table  7.2  to  permute  bits;  split  the 
result  into  left  and  right  32-bit  halves  Lq  = m38m3o  . . . m$,  Rq  = m^m4g  . . . 777,7.) 

3.  (16  rounds)  for  i from  1 to  16,  compute  L,  and  R,  using  Equations  (7.4)  and  (7.5) 
above,  computing  f(Ri~  1,  Kf)  = P(S(E(Ri- 1)  © Kf))  as  follows: 

(a)  Expand  Ri-i  = r4r2  . . . r32  from  32  to  48  bits  using  E per  Table  7.3: 

T <r-  E(Ri- 1).  (Thus  T = r32rir2  ■ ■ ■ r32ri.) 

(b)  T'  <—  T©JTj.  Represent  T'  as  eight  6-bit  character  strings:  (Bi . . . . , Bs)  = 
V. 

(c)  T"  <-  {Si[Bi),  S2(B2 ), . . . Ss{B8)).  (Here  maps  Bt  = hb2  ...b6 

to  the  4-bit  entry  in  row  r and  column  c of  S)  in  Table  7.8,  page  260  where 
r = 2 ■ bi  + be,  and  b2b3b4b3  is  the  radix-2  representation  of  0 < c < 15.  Thus 
Si(OllOll)  yields  r = 1,  c = 13,  and  output  5,  i.e.,  binary  0101.) 

(d)  T'"  «—  P(T").  (Use  P per  Table  7. 3 to  permute  the  32  bits  of  T"  = t\t2  . . .t32, 
yielding  f16f7  . . . t2 5.) 

4.  b4b2  . . . 6g4  fe  (-R16,  Lie).  (Exchange  final  blocks  T16,  i?16.) 

5.  C <—  IP-1  (bib2  . . . be4).  (Transpose  using  IP-1  from  Table  7.2;  C = b4ob8  ■ ■ . 625-) 
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Table  7.2:  DES  initial  permutation  and  inverse  (IP  and  IP  1). 
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Table  7.3:  DES  per-round  functions:  expansion  E and  permutation  P. 
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(a)  twisted  ladder 


(b)  untwisted  ladder 


Figure  7.9:  DES  computation  path. 
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J (R.  -.-.Ki)  = ;)  ® Kf  )) 


Figure  7.10:  DES  inner  function  f. 

7.83  Algorithm  DES  key  schedule 

INPUT:  64-bit  key  K = fcj . . . k<yi  (including  8 odd-parity  bits). 

OUTPUT:  sixteen  48-bit  keys  K,.  1 < i < 16. 

1.  Define  ty,  1 < i < 16  as  follows:  t>,;  = 1 for  * E {1,  2,  9, 16};  Vj  = 2 otherwise. 
(These  are  left-shift  values  for  28-bit  circular  rotations  below.) 

2.  T <—  PC  I (/l);  represent  T as  28-bit  halves  (Co,  Do).  (Use  PCI  in  Table  7.4  to  select 
bits  from  K:  C0  = k57k4g  ■ ■ ■ k36,  D0  = k63k55  . . . fc4.) 

3.  For  i from  1 to  16,  compute  Kt  as  follows:  C,;  •<—  (Cj_i  e u,; ) , D,  •(—  (D,:_i  e 
u,;),  Jfj  •<—  PC2(C,;,  Di).  (Use  PC2  in  Table  7.4  to  select  48  bits  from  the  concatena- 
tion bib-2  • • • &56  of  Ci  and  D*:  Kj  = bubn  . . . 632.  denotes  left  circular  shift.) 

If  decryption  is  designed  as  a simple  variation  of  the  encryption  function,  savings  result 
in  hardware  or  software  code  size.  DES  achieves  this  as  outlined  in  Note  7.84. 

7.84  Note  (DES  decryption)  DES  decryption  consists  of  the  encryption  algorithm  with  the  same 
key  but  reversed  key  schedule,  using  in  order  K±q,  iTjg, . . . , K\  (see  Note  7.85).  This 
works  as  follows  (refer  to  Figure  7.9).  The  effect  of  IP-1  is  cancelled  by  IP  in  decryp- 
tion, leaving  (Riq,  Tie);  consider  applying  round  1 to  this  input.  The  operation  on  the  left 
half  yields,  rather  than  To©/(f?o,  Ki),  now  Rie®f(Li6,  Kie)  which,  since  Lie  = R15 
and  Rie  = Tis©/(7?i5,  K\e),  is  equal  to  Ti50/(i?is,  Kie)®f(Ris,  K 16)  = T15.  Thus 
round  1 decryption  yields  (R\e,  T15),  i.e.,  inverting  round  16.  Note  that  the  cancellation 
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Table  7.4:  DES  key  schedule  bit  selections  ( PCI  and  PC2). 


of  each  round  is  independent  of  the  definition  of  / and  the  specific  value  of  Kt ; the  swap- 
ping of  halves  combined  with  the  XOR  process  is  inverted  by  the  second  application.  The 
remaining  15  rounds  are  likewise  cancelled  one  by  one  in  reverse  order  of  application,  due 
to  the  reversed  key  schedule. 

7.85  Note  ( DES  decryption  key  schedule)  Subkeys  AT, . . . , AT 6 may  be  generated  by  Algo- 
rithm 7.83  and  used  in  reverse  order,  or  generated  in  reverse  order  directly  as  follows.  Note 
that  after  AT  6 is  generated,  the  original  values  of  the  28-bit  registers  C and  D are  restored 
(each  has  rotated  28  bits).  Consequently,  and  due  to  the  choice  of  shift-values,  modifying 
Algorithm  7.83  as  follows  generates  subkeys  in  order  K\q,  . . . , AT : replace  the  left-shifts 
by  right-shift  rotates;  change  the  shift  value  v\  to  0. 

7.86  Example  (DES  test  vectors)  The  plaintext  “Now  is  the  time  for  all  ”,  represented  as  a 
string  of  8-bit  hex  characters  (7-bit  ASCII  characters  plus  leading  O-bit),  and  encrypted  us- 
ing the  DES  key  specified  by  the  hex  string  K = 012  34  5 67  8 9ABCDEF  results  in  the 
following  plaintext/ciphertext: 

P = 4E6F772069732074  68652074696D6520  666F7220616C6C20 
C = 3FA40E8A984D4815  6A271787AB8883F9  893D51EC4B563B53.  □ 


7.4.3  DES  properties  and  strength 

There  are  many  desirable  characteristics  for  block  ciphers.  These  include:  each  bit  of  the 
ciphertext  should  depend  on  all  bits  of  the  key  and  all  bits  of  the  plaintext;  there  should  be  no 
statistical  relationship  evident  between  plaintext  and  ciphertext;  altering  any  single  plain- 
text or  key  bit  should  alter  each  ciphertext  bit  with  probability  and  altering  a ciphertext 
bit  should  result  in  an  unpredictable  change  to  the  recovered  plaintext  block.  Empirically, 
DES  satisfies  these  basic  objectives.  Some  known  properties  and  anomalies  of  DES  are 
given  below. 

(i)  Complementation  property 

7.87  Fact  Let  E denote  DES,  and  x the  bitwise  complement  of  x.  Then  y = EK{  x ) implies 
y = Ejf(x).  That  is,  bitwise  complementing  both  the  key  K and  the  plaintext  x results  in 
complemented  DES  ciphertext. 

Justification:  Compare  the  first  round  output  (see  Figure  7.10)  to  (To,  Ro)  for  the  uncom- 
plemented case.  The  combined  effect  of  the  plaintext  and  key  being  complemented  results 
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in  the  inputs  to  the  XOR  preceding  the  S-boxes  (the  expanded  R,  i and  subkey  AT)  both 
being  complemented;  this  double  complementation  cancels  out  in  the  XOR  operation,  re- 
sulting in  S-box  inputs,  and  thus  an  overall  result  f(Ro,  K i),  as  before.  This  quantity  is 
then  XORed  (Figure  7.9)  to  L{]  (previously  L{] ),  resulting  in  L\  (rather  than  L{).  The  same 
effect  follows  in  the  remaining  rounds. 

The  complementation  property  is  normally  of  no  help  to  a cryptanalyst  in  known-plain- 
text  exhaustive  key  search.  If  an  adversary  has,  for  a fixed  unknown  key  K,  a chosen- 
plaintext  set  of  (x,  y)  data  (Pi,  Ci),  (Pi,  C2),  then  C2  = EK(P1)  implies  C2  = (Pi). 

Checking  if  the  key  K with  plaintext  I\  yields  either  C\  or  C->  now  rules  out  two  keys 
with  one  encryption  operation,  thus  reducing  the  expected  number  of  keys  required  before 
success  from  255  to  254.  This  is  not  a practical  concern. 

(ii)  Weak  keys,  semi-weak  keys,  and  fixed  points 

If  subkeys  AT  to  ATo  are  equal,  then  the  reversed  and  original  schedules  create  identical 
subkeys:  AT  = Kiq,  AT  = AT 5,  and  so  on.  Consequently,  the  encryption  and  decryption 
functions  coincide.  These  are  called  weak  keys  (and  also:  palindromic  keys). 

7.88  Definition  A DES  weak  key  is  a key  K such  that  (Ex(x))  = x for  all  x,  i.e.,  defining 
an  involution.  A pair  of  DES  semi-weak  keys  is  a pair  ( Ai , AT)  with  Ek1  {Ek2  (x))  = x. 

Encryption  with  one  key  of  a semi-weak  pair  operates  as  does  decryption  with  the  other. 

7.89  Fact  DES  has  four  weak  keys  and  six  pairs  of  semi-weak  keys. 

The  four  DES  weak  keys  are  listed  in  Table  7.5,  along  with  corresponding  28-bit  vari- 
ables Co  and  Do  of  Algorithm  7.83;  here  {Op  represents  j repetitions  of  bit  0.  Since  Co 
and  Do  are  all-zero  or  all-one  bit  vectors,  and  rotation  of  these  has  no  effect,  it  follows  that 
all  subkeys  A,  are  equal  and  an  involution  results  as  noted  above. 

The  six  pairs  of  DES  semi-weak  keys  are  listed  in  Table  7.6.  Note  their  defining  prop- 
erty (Definition  7.88)  occurs  when  subkeys  Ai  through  Kie  of  the  first  key,  respectively, 
equal  subkeys  KVi  through  AT  of  the  second.  This  requires  that  a 1-bit  circular  left-shift  of 
each  of  Co  and  Do  for  the  first  56-bit  key  results  in  the  (Co,  Do)  pair  for  the  second  56-bit 
key  (see  Note  7.84),  and  thereafter  left-rotating  C,-  and  D,  one  or  two  bits  for  the  first  re- 
sults in  the  same  value  as  right-rotating  those  for  the  second  the  same  number  of  positions. 
The  values  in  Table  7.6  satisfy  these  conditions.  Given  any  one  64-bit  semi-weak  key,  its 
paired  semi-weak  key  may  be  obtained  by  splitting  it  into  two  halves  and  rotating  each  half 
through  8 bits. 

7.90  Fact  Let  E denote  DES.  For  each  of  the  four  DES  weak  keys  A,  there  exist  232  fixed  points 
of  Ex,  i.e.,  plaintexts  x such  that  Ex  (x)  = x.  Similarly,  four  of  the  twelve  semi-weak  keys 
K each  have  232  anti-fixed  points,  i.e.,  x such  that  Ax(x)  = x. 

The  four  semi-weak  keys  of  Fact  7.90  are  in  the  upper  portion  of  Table  7.6.  These  are 
called  anti-palindromic  keys,  since  for  these  AT  = A'i6,  AT  = AT5,  and  so  on. 

(iii)  DES  is  not  a group 

For  a fixed  DES  key  K,  DES  defines  a permutation  from  {0,  l}64  to  {0,  l}64.  The  set  of 
DES  keys  defines  256  such  (potentially  different)  permutations.  If  this  set  of  permutations 
was  closed  under  composition  (i.e.,  given  any  two  keys  Aj , AT,  there  exists  a third  key  AT 
such  that  Ek3  (x)  = E^2  ( E^ x (x))  for  all  x)  then  multiple  encryption  would  be  equivalent 
to  single  encryption.  Fact  7.91  states  that  this  is  not  the  case  for  DES. 
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Co 
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Table  7.5:  Four  DES  weak  keys. 


Co 

Do 

semi-weak  key  pair  (hexadecimal) 

Co 

Do 

{01}14 

{01}14 

0 1FE  0 1FE  0 1FE  01FE,  FE01  FE01  FE01  FE01 

{10}14 

{10}14 

{01}14 

{10}14 

1FE0  1FE0  0EF1  0EF1,  E01F  E01F  F10E  F10E 

{10}14 

{01}14 

{01}14 

{0}28 

01E0  01E0  01F1  01F1,  E001  E001  F101  F101 

{10}14 

{0}28 

{01}14 

{l}28 

1FFE  1FFE  0EFE  0EFE , FE1F  FE1F  FE0E  FE0E 

{10}14 

{l}28 

{0}28 

{01}14 

0 1 IF  0 1 IF  010E  010E,  1F01  1F01  0E01  0E01 

{0}28 

{10}14 

{l}28 

{01}14 

E0FE  E0FE  FIFE  FIFE,  FEE0  FEE0  FEF 1 FEF 1 

{l}28 

{10}14 

Table  7.6:  Six  pairs  of  DES  semi-weak  keys  (one  pair  per  line). 


7.91  Fact  The  set  of  256  permutations  defined  by  the  256  DES  keys  is  not  closed  under  func- 
tional composition.  Moreover,  a lower  bound  on  the  size  of  the  group  generated  by  com- 
posing this  set  of  permutations  is  102499. 

The  lower  bound  in  Fact  7.91  is  important  with  respect  to  using  DES  for  multiple  en- 
cryption. If  the  group  generated  by  functional  composition  was  too  small,  then  multiple 
encryption  would  be  less  secure  than  otherwise  believed. 

(iv)  Linear  and  differential  cryptanalysis  of  DES 

Assuming  that  obtaining  enormous  numbers  of  known-plaintext  pairs  is  feasible,  linear 
cryptanalysis  provides  the  most  powerful  attack  on  DES  to  date;  it  is  not,  however,  con- 
sidered a threat  to  DES  in  practical  environments.  Linear  cryptanalysis  is  also  possible  in  a 
ciphertext-only  environment  if  some  underlying  plaintext  redundancy  is  known  (e.g.,  parity 
bits  or  high-order  0-bits  in  ASCII  characters). 

Differential  cryptanalysis  is  one  of  the  most  general  cryptanalytic  tools  to  date  against 
modern  iterated  block  ciphers,  including  DES,  Lucifer,  and  FEAL  among  many  others.  It  is, 
however,  primarily  a chosen-plaintext  attack.  Further  information  on  linear  and  differential 
cryptanalysis  is  given  in  §7.8. 

7.92  Note  ( strength  of  DES)  The  complexity  (see  §7.2.1)  of  the  best  attacks  currently  known 
against  DES  is  given  in  Table  7.7;  percentages  indicate  success  rate  for  specified  attack  pa- 
rameters. The  ‘processing  complexity’  column  provides  only  an  estimate  of  the  expected 
cost  (operation  costs  differ  across  the  various  attacks);  for  exhaustive  search,  the  cost  is  in 
DES  operations.  Regarding  storage  complexity,  both  linear  and  differential  cryptanalysis 
require  only  negligible  storage  in  the  sense  that  known  or  chosen  texts  can  be  processed 
individually  and  discarded,  but  in  a practical  attack,  storage  for  accumulated  texts  would 
be  required  if  ciphertext  was  acquired  prior  to  commencing  the  attack. 
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attack  method 

data  complexity 

storage 

complexity 

processing 

complexity 

known 

chosen 

exhaustive  precomputation 

— 

1 

256 

1 (table  lookup) 

exhaustive  search 

1 

— 

negligible 

255 

linear  cryptanalysis 

2 43  (85%) 

— 

for  texts 

2 43 

238  (10%) 

— 

for  texts 

2so 

differential  cryptanalysis 

— 

247 

for  texts 

247 

255 

— 

for  texts 

255 

Table  7.7:  DES  strength  against  various  attacks. 


7.93  Remark  (practicality  of  attack  models)  To  be  meaningful,  attack  comparisons  based  on 
different  models  (e.g..  Table  7.7)  must  appropriately  weigh  the  feasibility  of  extracting  (ac- 
quiring) enormous  amounts  of  chosen  (known)  plaintexts,  which  is  considerably  more  dif- 
ficult to  arrange  than  a comparable  number  of  computing  cycles  on  an  adversary’s  own  ma- 
chine. Exhaustive  search  with  one  known  plaintext-ciphertext  pair  (for  ciphertext-only,  see 
Example  7.28)  and  255  DES  operations  is  significantly  more  feasible  in  practice  (e.g.,  using 
highly  parallelized  custom  hardware)  than  linear  cryptanalysis  (LC)  requiring  243  known 
pairs. 

While  exhaustive  search,  linear,  and  differential  cryptanalysis  allow  recovery  of  a DES 
key  and,  therefore,  the  entire  plaintext,  the  attacks  of  Note  7.8,  which  become  feasible  once 
about  232  ciphertexts  are  available,  may  be  more  efficient  if  the  goal  is  to  recover  only  part 
of  the  text. 


7.5  FEAL 

The  Fast  Data  Encipherment  Algorithm  (FEAL)  is  a family  of  algorithms  which  has  played 
a critical  role  in  the  development  and  refinement  of  various  advanced  cryptanalytic  tech- 
niques, including  linear  and  differential  cryptanalysis.  FEAL-N  maps  64-bit  plaintext  to 
64-bit  ciphertext  blocks  under  a 64-bit  secret  key.  It  is  an  W-round  Feistel  cipher  similar  to 
DES  (cf.  Equations  (7.4),  (7.5)),  but  with  a far  simpler  /-function,  and  augmented  by  initial 
and  final  stages  which  XOR  the  two  data  halves  as  well  as  XOR  subkeys  directly  onto  the 
data  halves. 

FEAL  was  designed  for  speed  and  simplicity,  especially  for  software  on  8-bit  micro- 
processors (e.g.,  chipcards).  It  uses  byte-oriented  operations  (8-bit  addition  mod  256,  2-bit 
left  rotation,  and  XOR),  avoids  bit-permutations  and  table  look-ups,  and  offers  small  code 
size.  The  initial  commercially  proposed  version  with  4 rounds  (FEAL-4),  positioned  as  a 
fast  alternative  to  DES,  was  found  to  be  considerably  less  secure  than  expected  (see  Ta- 
ble 7.10).  FEAL-8  was  similarly  found  to  offer  less  security  than  planned.  FEAL-16  or 
FEAL-32  may  yet  offer  security  comparable  to  DES,  but  throughput  decreases  as  the  num- 
ber of  rounds  rises.  Moreover,  whereas  the  speed  of  DES  implementations  can  be  improved 
through  very  large  lookup  tables,  this  appears  more  difficult  for  FEAL. 

Algorithm  7.94  specifies  FEAL-8.  The  /-function  f(A,  Y)  maps  an  input  pair  of  32  x 
16  bits  to  a 32-bit  output.  Within  the  / function,  two  byte-oriented  data  substitutions  (S- 
boxes)  So  and  ,S'i  are  each  used  twice;  each  maps  a pair  of  8-bit  inputs  to  an  8-bit  output 
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Table  7.8:  DES  S-boxes. 
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(see  Table  7.9).  So  and  Si  add  a single  bit  d G {0, 1}  to  8-bit  arguments  x and  y . ignore 
the  carry  out  of  the  top  bit,  and  left  rotate  the  result  2 bits  (ROT2): 

Sd(x,  y)  = ROT2(x  + y + d mod  256)  (7.6) 

The  key  schedule  uses  a function  Jk(^ 4,  B)  similar  to  the  /-function  (see  Table  7.9;  Aj, 
Bj . Yi,  ti,  and  Uj  are  8-bit  variables),  mapping  two  32-bit  inputs  to  a 32-bit  output. 


U t—  f(A,  Y) 

U <—  fx(A,  B) 

tl  = 
t2  = 
Ui  = 

u2  = 

U0  = 
u3  = 

(Ao0Ai)0Fo 
(A2©A3)©Fi 
Si(ti,t2) 
So(t2,  Ui) 
So(Ao,  Ui) 
Si(A3,U2) 

A0©Ai 
A2©A3 
Si(ti,  f20So) 
So(t2,  £/i0Si) 
5o(Ao,  Ui®B2) 
S!(A3,U2®B3) 

Table  7.9:  Output  U = (Uq  . Ui . U2  , U3 ) for  FEAL  functions  f . fx  ( Algorithm  7. 94 ). 

As  the  operations  of  2-bit  rotation  and  XOR  are  both  linear,  the  only  nonlinear  elemen- 
tary operation  in  FEAL  is  addition  mod  256. 


7.94  Algorithm  Fast  Data  Encipherment  Algorithm  (FEAL-8) 

INPUT:  64-bit  plaintext  M = mj . . . 777-64;  64-bit  key  K = k± . . . kc,4- 
OUTPUT:  64-bit  ciphertext  block  C = ci . . . C04.  (For  decryption,  see  Note  7.96.) 

1.  (key  schedule)  Compute  sixteen  16-bit  subkeys  Kj  from  K using  Algorithm  7.95. 

2.  Define  Ml  = mi  ■ • • 77732,  Mr  = 77733  ■ ■ ■ 77764. 

3.  (L0,R0)  <-  (Ml,  Mr)  0 ((A8,A9),  (Kw,Ku)).  (XOR  initial  subkeys.) 

4.  Rq  F-  Rq(BLo- 

5.  For  i from  1 to  8 do:  L,  Ri-i , R%  TJ_10/(i?J_1,  Kj- 1).  (Use  Table  7.9  for 
/(A,  Y)  with  A = Rj — 1 = (A0,  Ai,  A2,  A3)  and  Y = K,-i  = (Y0,  Yi).) 

6.  L8  4—  L8(BR8. 

1.  ( R8,L8 ) t-  (Rs,L8)  0 ((Ki2,Ki3),  (Ki4,K15)).  (XOR  final  subkeys.) 

8.  C F-  (R8,  L8).  (Note  the  order  of  the  final  blocks  is  exchanged.) 


7.95  Algorithm  FEAL-8  key  schedule 
INPUT:  64-bit  key  K = h . . . k64. 

OUTPUT:  256-bit  extended  key  (16-bit  subkeys  Kj.  0 < i < 15). 

1.  (initialize)  £A“2)  <-  0,  U ^ fo  . . . &32,  U^0)  <-  k33  . . . k6 4. 

2.  U (Uq,  Ui,  U‘2 , U3)  for  8-bit  Uj.  Compute  A'o, . . . , K15  as  i runs  from  1 to  8: 

(a)  U fK(U^~2\  U(-* i-1'>®U(-i~3'>).  (. fK  is  defined  in  Table  7.9,  where  A and 
B denote  4-byte  vectors  (Ao,  Ai,  A2,  A3),  (Bo,  Bi,  i?2,  B3).) 

(b)  K2i- 2 = (U0,  Ui),  K2i-i  = (U2,  U3),  £7(0  4-  U. 


7.96  Note  ( FEAL  decryption ) Decryption  may  be  achieved  using  Algorithm  7.94  with  the  same 
key  K and  ciphertext  C — (R8,  L8)  as  the  plaintext  input  M . but  with  the  key  schedule 
reversed.  More  specifically,  subkeys  ((Ki2,  iv/3),  (A'14,  A15))  are  used  for  the  initial  XOR 
(step  3),  ((As,  A), ) , (A10,  An))  for  the  final  XOR  (step  7),  and  the  round  keys  are  used 
from  A7  back  to  Kq  (step  5).  This  is  directly  analogous  to  decryption  for  DES  (Note  7.84). 
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7.97  Note  ( FEAL-N ) FEAL  with  64-bit  key  can  be  generalized  to  TV-rounds,  N even.  N = 2X 
is  recommended;  x = 3 yields  FEAL-8  (Algorithm  7.94).  FEAL-N  uses  N + 8 sixteen-bit 
subkeys:  K{] , . . . , Kn-i,  respectively,  in  round  i;  Km,  ■ ■ ■ • Km+ 3 for  the  initial  XOR; 
and  Km+ 4,  • ■ • Km +7  for  the  final  XOR.  The  key  schedule  of  Algorithm  7.95  is  directly 
generalized  to  compute  keys  Kq  through  Km +7  as  i runs  from  1 to  ( N/2 ) + 4. 

7.98  Note  ( FEAL-NX)  Extending  FEAL-N  to  use  a 128-bit  key  results  in  FEAL-NX,  with  al- 
tered key  schedule  as  follows.  The  key  is  split  into  64-bit  halves  (Kl,,  Kr).  Kr  is  parti- 
tioned into  32-bit  halves  (Kri,  Kr2).  For  1 < i < {N/2)  + 4,  define  Q = Kr\($Kr2 
for  i = 1 mod  3;  Q,  = Kri  for  i = 2 mod  3;  and  Qi  = Kr2  for  i = 0 mod  3. 
The  second  argument  (i/(l-1)®£7(1-3))  to  fx  in  step  2a  of  Algorithm  7.95  is  replaced  by 
[/(i-1)®[/(*-3)0Q..  For  Kr  = 0,  FEAL-NX  matches  FEAL-N  with  Kl  as  the  64-bit 
FEAL-N  key  K. 

7.99  Example  ( FEAL  test  vectors)  For  hex  plaintext  M = 00000000  00000000  and  hex 

key  K = 01234567  8 9ABCDEF,  Algorithm  7.95  generates  subkeys  (Kq.  . . . . K7)  = 
DF3BCA36  F17C1AEC  45A5B9C7  26EBAD25,  {K8,...,K15)  = 8B2AECB7 

AC509D4C  22CD47  9B  A8D50CB5.  Algorithm  7.94  generates  FEAL-8  ciphertext  C = 
CEEF2C8  6 F2490752.  For  FEAL- 16,  the  corresponding  ciphertext  is  C'  = 3ADE0D2A 
D84D0B6F;  for  FEAL-32,  C"  = 69B0FAE6  DDED6B0B.  For  128-bit  key  (. Kl,Kr ) 
with  Kl  = Kr  = K as  above,  M has  corresponding  FEAL-8X  ciphertext  C'"  = 
92BEB65D  0E9382FB.  □ 

7.1 00  Note  ( strength  of  FEAL)  Table  7. 10  gives  various  published  attacks  on  FEAL;  LC  and  DC 
denote  linear  and  differential  cryptanalysis,  and  times  are  on  common  personal  computers 
or  workstations. 


attack 

method 

data  complexity 

storage 

complexity 

processing 

complexity 

known 

chosen 

FEAL-4  - LC 

5 

— 

30K  bytes 

6 minutes 

FEAL-6  - LC 

100 

— 

100K  bytes 

40  minutes 

FEAL-8  - LC 
FEAL-8  - DC 

224 

2 ' pairs 

280K  bytes 

10  minutes 
2 minutes 

FEAL-16-DC 

— 

229  pairs 

230  operations 

FEAL-24  - DC 

— 

245  pairs 

246  operations 

FEAL-32  - DC 

— 

266  pairs 

267  operations 

Table  7. 10:  FEAL  strength  against  various  attacks. 
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7.6  IDEA 


The  cipher  named  IDEA  (International  Data  Encryption  Algorithm)  encrypts  64-bit  plain- 
text to  64-bit  ciphertext  blocks,  using  a 128-bit  input  key  K.  Based  in  part  on  a novel 

generalization  of  the  Feistel  structure,  it  consists  of  8 computationally  identical  rounds  fol- 

Cr) 

lowed  by  an  output  transformation  (see  Figure  7.11).  Round  ruses  six  16-bit  subkeys  K>  , 
1 < i < (i.  to  transform  a 64-bit  input  X into  an  output  of  four  16-bit  blocks,  which  are  in- 
put to  the  next  round.  The  round  8 output  enters  the  output  transformation,  employing  four 
additional  subkeys  A'-9\  1 < i < 4 to  produce  the  final  ciphertext  Y = (Yi,  Y%,  Ys,  T4). 
All  sub  keys  are  derived  from  K. 

A dominant  design  concept  in  IDEA  is  mixing  operations  from  three  different  alge- 
braic groups  of  2"  elements.  The  corresponding  group  operations  on  sub-blocks  a and  b of 
bitlength  n = 16  are  bitwise  XOR:  o®6;  addition  mod  2":  ( a + b ) AND  OxFFFF,  denoted 
oES  6;  and  (modified)  multiplication  mod  2"  + l,with0  £ Z2«  associated  with  2™  £ Z2«+i: 
aQb  (see  Note  7.104). 


plaintext  (Xi,  X2 , X3,  X4) 

Xi  X2  subkeys  for  round  r X3  X4 


Yi  Y2  ciphertext  (Yi,  Y2,  Y3,  Y4)  Y3  Y4 

0 bitwise  XOR 
FP  addition  mod  2 16 

(J)  multiplication  mod  2 16  + 1 (with  0 interpreted  as  2 16 ) 

Figure  7.11 : IDEA  computation  path. 
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7.101  Algorithm  IDEA  encryption 

INPUT:  64-bit  plaintext  M = mi . . . mg4\  128-bit  key  K = k± . . . k\23. 

OUTPUT:  64-bit  ciphertext  block  Y = (Y\,  Y>.  Y3,  Y4 ) . (For  decryption,  see  Note  7.103.) 

(r) 

1.  (key  schedule)  Compute  16-bit  subkeys  K\  , . . . , Kq  for  rounds  1 < r < 8,  and 
k[9^  , . . . , for  the  output  transformation,  using  Algorithm  7. 102. 

2.  (X1,X2,X3,X4)  4-  (mi . . . mi6,  mn  . . . m32,  rn33  . . . m48,  m4g  . . . mG4), 
where  Xj  is  a 16-bit  data  store. 

3.  For  round  r from  1 to  8 do: 

(a)  Xj  <-  Xi  QK[r\  X4  <-  X4®K^\  X2  <r-  X2  ffl  X3  <-  X3  ffl  K^r) . 

(b)  Iq  <—  Xg  )®(Xi@X3),  t\  Kq  5 0^0  ES  (X20X4)),  t2  to  ES  t4. 

(c)  _X"i  i — X4  i — ^*40^2?  U ^ — -X"20f2>  X2  4 — X%  i — CL. 

4.  (output  transformation)  Y\  Xi© k[9\  Y4  X4QK{9\  Y2  X3  EB  I-dfK  Y3  <s— 

X2  ffl  K^. 


7.102  Algorithm  IDEA  key  schedule  (encryption) 


INPUT:  128-bit  key  K = k 1 . . . fci28- 

OUTPUT:  52  16-bit  key  sub-blocks  K)  for  8 rounds  r and  the  output  transformation. 


1.  Order  the  subkeys  K\ 1 1 . . . Kq1’  , K\z> . . . K, 

2.  Partition  K into  eight  16-bit  blocks;  assign  these  directly  to  the  first  8 subkeys. 

3.  Do  the  following  until  all  52  subkeys  are  assigned:  cyclic  shift  K left  25  bits;  parti- 
tion the  result  into  8 blocks;  assign  these  blocks  to  the  next  8 subkeys. 


A1) 


(2) 


.K 


(O 


(8)  t©9) 


RJ\K 


. IC 


(9) 


The  key  schedule  of  Algorithm  7.102  may  be  converted  into  a table  which  lists,  for 
each  of  the  52  keys  blocks,  which  16  (consecutive)  bits  of  the  input  key  K form  it. 

7.103  Note  ( IDEA  decryption ) Decryption  is  achieved  using  Algorithm  7.101  with  the  cipher- 
text  Y provided  as  input  M,  and  the  same  encryption  key  K , but  the  following  change 
to  the  key  schedule.  First  use  K to  derive  all  encryption  subkeys  K\  , from  these  com- 
pute the  decryption  subkeys  K'^  per  Table  7.11;  then  use  K'^  in  place  of  xjr  i in  Algo- 
rithm 7.101.  In  Table  7.11,  — Xj  denotes  the  additive  inverse  (mod  216)  of  K, : the  integer 
u = (216  — X,:)  AND  OxFFFF,  0 < u < 216  — 1.  X©1  denotes  the  multiplicative  inverse 
(mod  216  + 1)  of  X'j,  also  in  {0, 1, . . . , 216  — 1},  derivable  by  the  Extended  Euclidean  al- 
gorithm (Algorithm  2.107),  which  on  inputs  a > b > 0 returns  integers  x and  y such  that 
ax  + by  = gcd(o,  b).  Using  a = 216  + 1 and  b = X'j,  the  gcd  is  always  1 (except  for 
X'j  = 0,  addressed  separately)  and  thus  X©1  = y,  or  216  + 1 + y if  y < 0.  When  X'j  = 0, 
this  input  is  mapped  to  216  (since  the  inverse  is  defined  by  XjQX©1  = 1;  see  Note  7.104) 
and  (216)~1  = 216  is  then  defined  to  give  A'F1  = 0. 


7.104  Note  ( definition  of  ©)  In  IDEA,  a©6  corresponds  to  a (modified)  multiplication,  modulo 
216  + 1,  of  unsigned  16-bit  integers  a and  b,  where  0 € Z2ie  is  associated  with  216  € lj2ie+1 
as  follows:2  if  a = 0 or  b = 0,  replace  it  by  216  (which  is  = — 1 mod  216  + 1)  prior  to 
modular  multiplication;  and  if  the  result  is  216,  replace  this  by  0.  Thus,  © maps  two  16- 
bit  inputs  to  a 16-bit  output.  Pseudo-code  for  © is  as  follows  (cf.  Note  7.105,  for  ordinary 

2Thus  the  operands  of  O are  from  a set  of  cardinality  216  | 1 ) as  are  those  of  © and  ffl. 
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round  r 

K'[r) 

kV 

kV 

i<V 

I<V 

K’(r) 
^ 6 

r = 1 
2 < r < 8 
r = 9 

(Af  o-r)ri 

(A'i r))  ' 
(tf<10_r))-1 

-K^-r) 

i4w  4 

(Aj10^)-1 
(ATi10-^)  1 

Af- r> 

Ktr> 

t>-(9  r-) 

1X6 

K (9^r) 

Table  7.11:  IDEA  decryption  subkeys  K'\T>  derived  from  encryption  subkeys  K{f\ 


multiplication  mod  216  + 1),  for  c a 32-bit  unsigned  integer:  if  (o  = 0)  r t—  (0x10001 
— b)  (since  2 16b  = —b),  elseif  (b  = 0 )r(-  (0x10001  — o)  (by  similar  reasoning),  else 
{c  i — ab\  r 4 — ((c  AND  OxFFFF)  — (c  >>  16));  if  (r  < 0)  r t— (0x10001  +r)},  with 
return  value  (r  AND  OxFFFF)  in  all  3 cases. 

7.1 05  Note  ( implementing  ab  mod  2"  + 1)  Multiplication  mod  216  + 1 may  be  efficiently  imple- 
mented as  follows,  for  0 < a,  b < 216  (cf.  §14.3.4).  Let  c = ab  = cq  ■ 232  + ch  ■ 216  + cl, 
where  cq  £ {0, 1}  and  0 < cl,  ch  < 216.  To  compute  c'  = c mod  (216  + 1),  first  obtain 
cl  and  cjj  by  standard  multiplication.  For  a = b = 216,  note  that  Co  — 1,  cl  — cjj  — 0, 
and  c!  = (— 1)(— 1)  = 1,  since  216  = — 1 mod  (216  + 1);  otherwise,  c0  = 0.  Consequently, 
c'  = cl  — ch  + co  if  cl  > c#  , while  <■’  c/  ch  < (216  + 1)  if  cl  < cH  (since  then 
— 216  <cL-cH<  0). 

7.1 06  Example  ( IDEA  test  vectors)  Sample  data  for  IDEA  encryption  of  64-bit  plaintext  M us- 

ing 128-bit  key  K is  given  in  Table  7.12.  All  entries  are  16-bit  values  displayed  in  hexadeci- 
mal. Table  7.13  details  the  corresponding  decryption  of  the  resulting  64-bit  ciphertext  C 
under  the  same  key  K.  □ 


128-bit  key  K = (1,2, 3, 4,  5 

6,7,8) 

| 64-bit  plaintext  M = (0, 1, 2, 3) 

r 

Kf> 

Af> 

Kir) 

rV 

K{r) 

AT 

a2 

a3 

a4 

1 

0001 

0002 

0003 

0004 

0005 

0006 

OOfO 

OOf  5 

010a 

0105 

2 

0007 

0008 

0400 

0600 

0800 

OaOO 

222f 

21b5 

f 45e 

e959 

3 

OcOO 

OeOO 

1000 

0200 

0010 

0014 

0f86 

3 9be 

8ee8 

1173 

4 

0018 

001c 

0020 

0004 

0008 

000c 

57df 

ac58 

c65b 

ba4d 

5 

2800 

3000 

3800 

4000 

0800 

1000 

8e81 

ba9c 

tilt 

3a4a 

6 

1800 

2000 

0070 

0080 

0010 

0020 

6942 

9409 

e2  lb 

lc64 

7 

0030 

0040 

0050 

0060 

0000 

2000 

99d0 

c7f  6 

5331 

620e 

8 

4000 

6000 

8000 

aOOO 

cOOO 

eOOl 

0a2  4 

0098 

ec6b 

4925 

9 

0080 

OOcO 

0100 

0140 

— 

— 

11  fb 

ed2b 

0198 

6de5 

Table  7.12:  IDEA  encryption  sample:  round  subkeys  and  ciphertext  (AT,  AT , AT,  AT). 


7.107  Note  ( security  of  IDEA)  For  the  full  8-round  IDEA,  other  than  attacks  on  weak  keys  (see 
page  279),  no  published  attack  is  better  than  exhaustive  search  on  the  128-bit  key  space. 
The  security  of  IDEA  currently  appears  bounded  only  by  the  weaknesses  arising  from  the 
relatively  small  (compared  to  its  keylength)  blocklength  of  64  bits. 
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K=(  1,2,  3, 4,  5, 6,  7,  8)  j 

| G = (Ilfb,ed2b,0198,6de5) 

D 

mm 

KV 

kV 

K'P 

kT 

K,{r) 
A 6 

Xi 

x2 

x3 

x4 

1 

feOl 

f f40 

ffOO 

659a 

cOOO 

e001 

d98d 

d331 

27f  6 

82b8 

2 

fffd 

8000 

aOOO 

cccc 

0000 

2000 

bc4d 

e2  6b 

9449 

a57  6 

3 

a55  6 

ffbO 

ffcO 

52ab 

0010 

0020 

0aa4 

f 7ef 

da9c 

24e3 

4 

554b 

f f 90 

eOOO 

feOl 

0800 

1000 

ca4  6 

fe5b 

dc58 

11 6d 

5 

332d 

c800 

dOOO 

fffd 

0008 

000c 

748f 

8f  08 

39da 

45cc 

6 

4aab 

ffeO 

ffe4 

cOOl 

0010 

0014 

3266 

045e 

2fb5 

b02e 

7 

aa96 

fOOO 

f200 

f f 81 

0800 

OaOO 

0690 

050a 

OOfd 

ldf  a 

8 

4925 

fcOO 

fff  8 

552b 

0005 

0006 

0000 

0005 

0003 

000c 

9 

0001 

fffe 

fffd 

cOOl 

— 

— 

0000 

0001 

0002 

0003 

Table  7.13:  IDEA  decryption  sample:  round  subkeys  and  variables  (Xi,  X2,  X3,  X4). 


7.7  SAFER,  RC5,  and  other  block  ciphers 


7.7.1  SAFER 

SAFER  K-64  (Secure  And  Fast  Encryption  Routine,  with  64-bit  key)  is  an  iterated  block 
cipher  with  64-bit  plaintext  and  ciphertext  blocks.  It  consists  of  r identical  rounds  followed 
by  an  output  transformation.  The  original  recommendation  of  6 rounds  was  followed  by  a 
recommendation  to  adopt  a slightly  modified  key  schedule  (yielding  SAFER  SK-64,  which 
should  be  used  rather  than  SAFER  K-64  - see  Note  7.110)  and  to  use  8 rounds  (maximum 
r = 10).  Both  key  schedules  expand  the  64-bit  external  key  into  2r  + 1 subkeys  each  of  64- 
bits  (two  for  each  round  plus  one  for  the  output  transformation).  SAFER  consists  entirely 
of  simple  byte  operations,  aside  from  byte -rotations  in  the  key  schedule;  it  is  thus  suitable 
for  processors  with  small  word  size  such  as  chipcards  (cf.  FEAL). 

Details  of  SAFER  K-64  are  given  in  Algorithm  7.108  and  Figure  7.12  (see  also  page 
280  regarding  SAFER  K-128  and  SAFER  SK-128).  The  XOR-addition  stage  beginning 
each  round  (identical  to  the  output  transformation)  XORs  bytes  1,  4,  5,  and  8 of  the  (first) 
round  subkey  with  the  respective  round  input  bytes,  and  respectively  adds  (mod  256)  the  re- 
maining 4 subkey  bytes  to  the  others.  The  XOR  and  addition  (mod  256)  operations  are  inter- 
changed in  the  subsequent  addition-XOR  stage.  The  S -boxes  are  an  invertible  byte-to-byte 
substitution  using  one  fixed  8-bit  bijection  (see  Note  7.111).  A linear  transformation  / (the 
Pseudo-Hadamard  Transform ) used  in  the  3-level  linear  layer  was  specially  constructed  for 
rapid  diffusion.  The  introduction  of  additive  key  biases  in  the  key  schedule  eliminates  weak 
keys  (cf.  DES,  IDEA).  In  contrast  to  Feistel-like  and  many  other  ciphers,  in  SAFER  the  op- 
erations used  for  encryption  differ  from  those  for  decryption  (see  Note  7.113).  SAFER  may 
be  viewed  as  an  SP  network  (Definition  7.79). 

Algorithm  7.108  uses  the  following  definitions  (L,  R denote  left,  right  8-bit  inputs): 

1.  f(L,  R)  = (2 L + R,  L + R).  Addition  here  is  mod  256  (also  denoted  by  EE); 

2.  tables  S and  S) nv,  and  the  constant  table  for  key  biases  Bi  [j]  as  per  Note  7.111. 
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X±  X-2  X3  X4  Xr,  Xq  X7  Xq  64-bit  plaintext 


Yi  Y2  Y3  Y4  Y5  Y6  Y7  Y8  64-bit  ciphertext 


© bitwise  XOR 
E0  addition  mod  28 

f(0,  V ) = (2x  E3  y,  x E3  y) 

Figure  7.12:  SAFER  K-64  computation  path  (r  rounds). 
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7.108  Algorithm  SAFER  K-64  encryption  (r  rounds) 

INPUT:  r,  6 < r < 10;  64-bit  plaintext  M = mi  • • • TO64  and  key  K = k\  - ■ ■ ^64- 
OUTPUT:  64-bit  ciphertext  block  Y = (Yi,...  ,Yg).  (For  decryption,  see  Note  7.113.) 

1.  Compute  64-bit  subkeys  A/, . ...  , A"2r+i  by  Algorithm  7.109  with  inputs  K and  r. 

2.  (Xi,  X2, . . . , X8)  <-  ( m1  ■ ■ -mg,  m9  ■ ■ ■ m16,  . . . , m57  • • • m64). 

3.  For  z from  1 to  r do:  (XOR-addition,  S-box,  addition-XOR,  and  3 linear  layers) 

(a)  For  j = 1,  4,  5,  8:  Xj  «-  Xj  © JC2i-i[j]. 

For  j = 2,  3,  6,  7:  Xj  0-  Xj  ffl  K-2i  i[j]- 

(b)  For  j = 1,  4,  5,  8:  Xj  -s—  5 Xj],.  For  j = 2,  3,  6,  7:  Xj  -s—  5inv[Xj], 

(c)  For  j = 1 , 4,  5,  8:  Xj  Xj  ffl  K2i  [j] . For  j = 2,  3,  6,  7:  Xj  Xj  © A2i  [j] . 

(d)  For  j = 1,3,  5,  7:  (Xj,Xj+1)  <-  /(Xj  > Xj+i). 

(e)  (Yi,y2)  ^/(x1,x3),  (y3,y4)  ^/(x5,x7), 

(y5,y6)  <-  /(x2,x4),  (y7,y8)  <-  /(x8,x8). 

For  j from  1 to  8 do:  Xj  <—  Yj . 

tf)  (Ui,y2)  -t-  /(X!,x3),  (y3ly4)  ^/(x5,x7), 

(y5,y6)  f“/(x2,x4),  (y7,y8)  /(x6,x8). 

For  j from  1 to  8 do:  Xj  t—  Yj.  (This  mimics  the  previous  step.) 

4.  (output  transformation): 

For  j = 1, 4,  5, 8:  Y)  <-  Xj  © X2r+i  [j].  For  j = 2, 3,  6,  7:  Yj  Xj  ffl  A'2r+1  [j]. 


7.109  Algorithm  SAFER  K-64  key  schedule 

INPUT:  64-bit  key  K = k\  - ■ ■ fc(j4 ; number  of  rounds  r. 

OUTPUT:  64-bit  subkeys  A/, . . . . K>r+i-  Ki[j ] is  byte  j of  K,  (numbered  left  to  right). 

1.  Let  7?[z]  denote  an  8-bit  data  store  and  let  A,[j]  denote  byte  j of  Bi  (Note  7.111). 

2.  (i?[l],  R[ 2], . . . , R\ 8])  <r-  (fci  ■ ■ ■ kg , kg  ■ ■ ■ k\§,  . . . , &s7  • • • &64)- 

3.  (A^A^],...  ,Ai[8])  <-  (R[1],R[2],...  ,R[ 8]). 

4.  For  z from  2 to  2r  + 1 do:  (rotate  key  bytes  left  3 bits,  then  add  in  the  bias) 

(a)  For  j from  1 to  8 do:  R[j]  <—  (R[j]  3). 

(b)  For  j from  1 to  8 do:  K^j]  *-  R[j]  ffl  Bi\j\.  (See  Note  7.110.) 


7.110  Note  (SAFER  SK-64  - strengthened  key  schedule ) An  improved  key  schedule  for  Algo- 

rithm 7.108,  resulting  in  SAFER  SK-64,  involves  three  changes  as  follows,  (i)  After  ini- 
tializing the  R[i\  in  step  1 of  Algorithm  7.109,  set  R[ 9]  i?[l]®i?[2]©  ■ ■ ■ ©i?[8].  (ii) 

Change  the  upper  bound  on  the  loop  index  in  step  4a  from  8 to  9.  (iii)  Replace  the  iterated 
line  in  step  4b  by:  A/[j]  -S—  R[((i  + j — 2)  mod  9)  + 1]  ffl  Bi[j\.  Thus,  key  bytes  1,...  ,8 
of  /?[■]  are  used  for  A/;  bytes  2, . . . , 9 for  A"2;  bytes  3, ...  9, 1 for  A3,  etc.  Here  and  origi- 
nally, ffl  denotes  addition  mod  256.  No  attack  against  SAFER  SK-64  better  than  exhaustive 
key  search  is  known. 

7.111  Note  ( S -boxes  and  key  biases  in  SAFER)  The  S-box,  inverse  S-box,  and  key  biases  for  Al- 
gorithm 7.108  are  constant  tables  as  follows,  g <(—  45.  5[0]  -s—  1,  5jnv[l]  0.  for  i from 
1 to  255  do : t <—  g ■ £[i  — 1]  mod  257,  S[i]  t,  S-mv [i]  -s—  i.  Finally,  5[128]  -S—  0, 
Ajnv[0]  F-  128.  (Since  g generates  Z%57,  5[i]  is  a bijection  on  {0, 1, . . . , 255}.  (Note  that 
g 128  = 256  (mod  257),  and  associating  256  with  0 makes  S a mapping  with  8-bit  input 
and  output.)  The  additive  key  biases  are  8-bit  constants  used  in  the  key  schedule  (Algo- 
rithm 7. 109),  intended  to  behave  as  random  numbers,  and  defined  B,  [j]  = A[5[9z+/]]  for  i 
from  2 to  2r  + l and  j from  1 to8.  For  example:  B-2  = (22,115,59,30,142,112,189,134) 
and  Brj  = (143,  41,  221,  4, 128,  222,  231, 49). 
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7.112  Remark  (S-box  mapping)  The  S-box  of  Note  7.111  is  based  on  the  function  Six)  = gx 
mod  257  using  a primitive  element  g = 45  G Z957.  This  mapping  is  nonlinear  with  respect 
to  both  Z257  arithmetic  and  the  vector  space  of  8-tuples  over  F2  under  the  XOR  operation. 
The  inverse  S-box  is  based  on  the  base-p  logarithm  function. 

7.113  Note  (SAFER  K-64  decryption)  For  decryption  of  Algorithm  7.108,  the  same  key  K and 
subkeys  A';  are  used  as  for  encryption.  Each  encryption  step  is  undone  in  reverse  order, 
from  last  to  first.  Begin  with  an  input  transformation  (XOR-subtraction  stage)  with  key 
A2r+i  to  undo  the  output  transformation,  replacing  modular  addition  with  subtraction.  Fol- 
low with  r decryption  rounds  using  keys  K>r  through  Ai  (two-per-round),  inverting  each 
round  in  turn.  Each  starts  with  a 3-stage  inverse  linear  layer  using  fnv(L,  R)  = (A  — 
R,  2 R — A),  with  subtraction  here  mod  256,  in  a 3-step  sequence  defined  as  follows  (to 
invert  the  byte-permutations  between  encryption  stages): 

Level  1 (for  j = 1, 3,  5,  7):  (Xj,  Xj+1)  <-  finv(Xj,Xj+1). 

Levels  2 and  3 (each):  (Y1,Y2)  <-  /inv(X  1,  X5),  (Y3,Y4)  <-  /inv(X2,  X6), 

(is,  Ye)  /i„v(X3,  X7),  {Y7,  Y8)  <-  /inv(X4,  X8);  for  j from  1 to  8 do:  Xj  <-  Yj. 

A subtraction-XOR  stage  follows  (replace  modular  addition  with  subtraction),  then  an  in- 
verse substitution  stage  (exchange  S and  S'-1),  and  an  XOR-subtraction  stage. 

7.1 1 4 Example  ( SAFER  test  vectors)  Using  6-round  SAFER  K-64  (Algorithm  7. 108)  on  the  64- 

bit  plaintext  M = (1,  2,  3, 4,  5,  6,  7, 8)  with  the  key  A'  = (8,  7,  6,  5, 4,  3,  2, 1)  results  in 
the  ciphertext  C = (200,  242, 156,  221, 135, 120,  62,  217),  written  as  8 bytes  in  decimal. 
Using  6-round  SAFER  SK-64  (Note  7.110)  on  the  plaintext  M above  with  the  key  A = 
(1,  2, 3,  4,  5,  6,  7,  8)  results  in  the  ciphertext  C = (95,  206, 155, 162,  5, 132,  56, 199).  □ 


7.7.2  RC5 

The  RC5  block  cipher  has  a word-oriented  architecture  for  variable  word  sizes  w = 16,  32, 
or  64  bits.  It  has  an  extremely  compact  description,  and  is  suitable  for  hardware  or  software. 
The  number  of  rounds  r and  the  key  byte-length  b are  also  variable.  It  is  successively  more 
completely  identified  as  RC5 —w,  RC5 -wlr,  and  RC5 -w/r/b.  RC5-32/12/16  is  considered 
a common  choice  of  parameters;  r = 12  rounds  are  recommended  for  RC5-32,  and  r = 16 
for  RC5-64. 

Algorithm  7.115  specifies  RC5.  Plaintext  and  ciphertext  are  blocks  of  bitlength  2w. 
Each  of  r rounds  updates  both  w-bit  data  halves,  using  2 subkeys  in  an  input  transformation 
and  2 more  for  each  round.  The  only  operations  used,  all  on  re -bit  words,  are  addition  mod 
2W  (EE),  XOR  (0),  and  rotations  (left  ^ and  right  r-H>).  The  XOR  operation  is  linear,  while 
the  addition  may  be  considered  nonlinear  depending  on  the  metric  for  linearity.  The  data- 
dependent  rotations  featured  in  RC5  are  the  main  nonlinear  operation  used:  denotes 

cyclically  shifting  a w-bit  word  left  y bits;  the  rotation-count  y may  be  reduced  mod  w (the 
low-order  lg(rc)  bits  of  y suffice).  The  key  schedule  expands  a key  of  b bytes  into  2r  + 2 
subkeys  K,  of  w bits  each.  Regarding  packing/unpacking  bytes  into  words,  the  byte-order 
is  little-endian:  for  w = 32,  the  first  plaintext  byte  goes  in  the  low-order  end  of  A , the 
fourth  in  A’s  high-order  end,  the  fifth  in  B' s low  order  end,  and  so  on. 
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7.115  Algorithm  RC5  encryption  ©-bit  wordsize,  r rounds,  6-byte  key) 

INPUT:  2«;-bit  plaintext  M = ( A , B);  r ; key  K = K[ 0] . . . K\b  - 1], 

OUTPUT:  2w-bit  ciphertext  C.  (For  decryption,  see  Note  7.117.) 

1.  Compute  2r  + 2 subkeys  Kq . . . . , K->r^i  by  Algorithm  7.116  from  inputs  K and  r. 

2.  A A EH  Kq,  B a-  B EB  Ki.  (Use  addition  modulo  2W .) 

3.  For  i from  1 to  r do:  A A-  ((A®B)  A^  B)  EE  K21,  B A-  ((B®A)  A^  A)  EB 

4.  The  output  is  C A-  (A,  B). 


7.116  Algorithm  RC5  key  schedule 

INPUT:  word  bitsize  w ; number  of  rounds  r;  6-byte  key  K[0\ . . . K[b  — 1], 

OUTPUT:  subkeys  Kq,  . . . , K->r+i  (where  Kj  is  w bits). 

1 . Let  u = w / 8 (number  of  bytes  per  word)  and  c = \b/u]  ( number  of  words  K fills). 

Pad  K on  the  right  with  zero-bytes  if  necessary  to  achieve  a byte-count  divisible  by 
u (i.e.,  K[j]  < 0 for  b < j < c ■ u — 1).  For  i from  0 to  c — 1 do:  Lj  Yl'jZo  28"' 

K[i  ■ u + j]  (i.e.,  fill  Li  low-order  to  high-order  byte  using  each  byte  of  K[-\  once). 

2.  Kq  •*—  Pw ; for  i from  1 to  2 r + 1 do:  Kj  <—  Kj_  1 ffl  Qw.  (Use  Table  7.14.) 

3.  i <—  0,  j <—  0,  A t—  0,  B -t—  0,  t <—  max(c,  2 r + 2).  For  s from  1 to  36  do: 

(a)  Ki  (Ki  E0  A EB  B)  «— > 3,  A <—  K\ , i i + 1 mod  (2 r + 2). 

(b)  Lj  <—  (Lj  ffl  A ffl  B)  (A  EB  B),  B Lj,  j <—  j + 1 mod  c. 

4.  The  output  is  Kq,  K\, . . . , K^r+i-  (The  L,  are  not  used.) 


7.117  Note  (RC5  decryption)  Decryption  uses  the  Algorithm  7.115  subkeys,  operating  on  ci- 
phertext C = (A,  B)  as  follows  (subtraction  is  mod  2W,  denoted  B).  For  i from  r down 
to  1 do:  B -s—  ((B  B K^i+i)  A)® A,  A ((A  B K2 i)  ‘-4  B)®B.  Finally  M 4 - 
(A  B K0,  B B K 1). 


w : 

16 

32 

64 

Pw  : 
Qw  • 

B7E1 

9E37 

B7E15163 

9E3779B9 

B7E15162  8AED2A6B 
9E3779B9  7F4A7C15 

Table  7. 14:  RC5  magic  constants  (given  as  hex  strings). 


7.118  Example  ( RC5-32/12/16  test  vectors)  For  the  hexadecimal  plaintext  M = 65C178B2 
8 4 D 1 9 7 CC  and  key  K = 5269F149  D41BA015  2497574D  7F153125,  RC5  with 
w = 32,  r = 12,  and  b = 16  generates  ciphertext  C = EB44E415  DA319824.  B 


7.7.3  Other  block  ciphers 

LOKI’91  (and  earlier,  LOKI’89)  was  proposed  as  a DES  alternative  with  a larger  64-bit  key, 
a matching  64-bit  blocksize,  and  16  rounds.  It  differs  from  DES  mainly  in  key-scheduling 
and  the  /-function.  The  /-function  of  each  round  uses  four  identical  12-to-8  bit  S -boxes. 
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4 input  bits  of  which  select  one  of  16  functions,  each  of  which  implements  exponentia- 
tion with  a fixed  exponent  in  a different  representation  of  GF(28).  While  no  significant  ex- 
ploitable weaknesses  have  been  found  in  LOKI’91  when  used  for  encryption,  related-key 
attacks  (see  page  281)  are  viewed  as  a certificational  weakness. 

Khufu  and  Khafre  are  DES-like  ciphers  which  were  proposed  as  fast  software-oriented 
alternatives  to  DES.  They  have  64-bit  blocks,  8 x 32  bit  S -boxes,  and  a variable  number 
of  rounds  (typically  16,  24,  or  32).  Khufu  keys  may  be  up  to  512  bits.  Khafre  keys  have 
bitlength  that  is  a multiple  of  64  (64  and  128-bit  keys  are  typical);  64  key  bits  are  XORed 
onto  the  data  block  before  the  first  and  thereafter  following  every  8 rounds.  Whereas  a DES 
round  involves  eight  6-to-4  bit  S-boxes,  one  round  of  Khufu  involves  a single  8-to-32  bit 
table  look-up,  with  a different  S-box  for  every  8 rounds.  The  S-boxes  are  generated  pseu- 
dorandomly  from  the  user  key.  Khafre  uses  fixed  S-boxes  generated  pseudorandomly  from 
an  initial  S-box  constructed  from  random  numbers  published  by  the  RAND  corporation  in 
1955.  Under  the  best  currently  known  attacks,  16-round  Khufu  and  24-round  Khafre  are 
each  more  difficult  to  break  than  DES. 


7.8  Notes  and  further  references 

§7.1 

The  extensive  and  particularly  readable  survey  by  Diffie  and  Heilman  [347],  providing  a 
broad  introduction  to  cryptography  especially  noteworthy  for  its  treatment  of  Hagelin  and 
rotor  machines  and  the  valuable  annotated  bibliography  circa  1979,  is  a source  for  much 
of  the  material  in  §7.2,  §7.3,  and  §7.4  herein.  Aside  from  the  appearance  of  DES  [396]  in 
the  mid  1970s  and  FEAL  [884]  later  in  the  1980s,  prior  to  1990  few  fully-specified  seri- 
ous symmetric  block  cipher  proposals  were  widely  available  or  discussed.  (See  Chapter  15 
for  Pohlig  and  Heilman’s  1978  discrete  exponentiation  cipher.)  With  the  increasing  feasi- 
bility of  exhaustive  search  on  56-bit  DES  keys,  the  period  1990-1995  resulted  in  a large 
number  of  proposals,  beginning  with  PES  [728],  the  preliminary  version  of  IDEA  [730], 
The  Fast  Software  Encryption  workshops  (Cambridge,  U.K.,  Dec.  1993;  Leuven,  Belgium, 
Dec.  1994;  and  again  Cambridge,  Feb.  1996)  were  a major  stimulus  and  forum  for  new  pro- 
posals. 

The  most  significant  cryptanalytic  advances  over  the  1990-1995  period  were  Matsui’s  linear 
cryptanalysis  [796,  795],  and  the  differential  cryptanalysis  of  Biham  and  Shamir  [138]  (see 
also  [134,  139]).  Extensions  of  these  included  the  differential-linear  analysis  by  Langford 
and  Heilman  [741],  and  the  truncated  differential  analysis  of  Knudsen  [686].  For  additional 
background  on  linear  cryptanalysis,  see  Biham  [132];  see  also  Matsui  and  Yamagishi  [798] 
for  a preliminary  version  of  the  method.  Additional  background  on  differential  cryptanal- 
ysis is  provided  by  many  authors  including  Lai  [726],  Lai,  Massey,  and  Murphy  [730],  and 
Coppersmith  [27 1 ] ; although  more  efficient  6-round  attacks  are  known,  Stinson  [1178]  pro- 
vides detailed  examples  of  attacks  on  3-round  and  6-round  DES.  Regarding  both  linear  and 
differential  cryptanalysis,  see  also  Knudsen  [684]  and  Kaliski  and  Yin  [656], 

§7.2 

Lai  [726,  Chapter  2]  provides  an  excellent  concise  introduction  to  block  ciphers,  including  a 
lucid  discussion  of  design  principles  (recommended  for  all  block  cipher  designers).  Regard- 
ing text  dictionary  and  matching  ciphertext  attacks  (Note  7.8),  see  Coppersmith,  Johnson, 
and  Matyas  [278].  Rivest  and  Sherman  [1061]  provide  a unified  framework  for  random- 
ized encryption  (Definition  7.3);  a common  example  is  the  use  of  random  “salt”  appended 
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to  passwords  prior  to  password  encryption  in  some  operating  systems  (§10.2.3).  Fact  7.9  is 
due  to  Shannon  [1121],  whose  contributions  are  many  (see  below). 

The  four  basic  modes  of  operation  (including  fc-bit  OFB  feedback)  were  originally  defined 
specifically  for  DES  in  1980  by  FIPS  81  [398]  and  in  1983  by  ANSI  X3. 106  [34],  while  ISO 
8732  [578]  and  ISO/IEC  10116  [604],  respectively,  defined  these  modes  for  general  64-bit 
and  general  ?r-bit  block  ciphers,  mandating  ro-bit  OFB  feedback  (see  also  Chapter  15).  Bras- 
sard [192]  gives  a concise  summary  of  modes  of  operation;  Davies  and  Price  [308]  provide  a 
comprehensive  discussion,  including  OFB  cycling  (Note  7.24;  see  also  Jueneman  [643]  and 
Davies  and  Parkin  [307]),  and  a method  for  encrypting  incomplete  CBC  final  blocks  with- 
out data  expansion,  which  is  important  if  plaintext  must  be  encrypted  and  returned  into  its 
original  store.  See  Voydock  and  Kent  [1225]  for  additional  requirements  on  IV s.  Recom- 
mending r = s for  maximum  strength,  ISO/IEC  10116  [604]  specifies  the  CFB  variation  of 
Example  7.19,  and  provides  extensive  discussion  of  properties  of  the  various  modes.  The 
counter  mode  (Example  7.23)  was  suggested  by  Diffie  and  Flellman  [347]. 

The  1977  exhaustive  DES  key  search  machine  (Example  7.27)  proposed  by  Diffie  and  Hell- 
man  [346]  contained  106  DES  chips,  with  estimated  cost  US$20  million  (1977  technology) 
and  12-hour  expected  search  time;  Diffie  later  revised  the  estimate  upwards  one  order  of 
magnitude  in  a BNR  Inc.  report  (US$50  million  machine,  2-day  expected  search  time,  1980 
technology).  Diffie  and  Heilman  noted  the  feasibility  of  a ciphertext-only  attack  (Exam- 
ple 7.28),  and  that  attempting  to  preclude  exhaustive  search  by  changing  DES  keys  more 
frequently,  at  best,  doubles  the  expected  search  time  before  success. 

Subsequently  Wiener  [1241]  provided  a gate-level  design  for  a US$1  million  machine  (1993 
technology)  using  57  600  DES  chips  with  expected  success  in  3.5  hours.  Each  chip  con- 
tains 16  pipelined  stages,  each  stage  completing  in  one  clock  tick  at  50  MHz;  a chip  with 
full  pipeline  completes  a key  test  every  20  nanoseconds,  providing  a machine  57  600  x 50 
times  faster  than  the  1142  years  noted  in  FIPS  74  [397]  as  the  time  required  to  check  255 
keys  if  one  key  can  be  tested  each  microsecond.  Comparable  key  search  machines  of  equiv- 
alent cost  by  Eberle  [362]  and  Wayner  [1231]  are,  respectively,  55  and  200  times  slower, 
although  the  former  does  not  require  a chip  design,  and  the  latter  uses  a general-purpose 
machine.  Wiener  also  noted  adaptations  of  the  ECB  known-plaintext  attack  to  other  64-bit 
modes  (CBC,  OFB,  CFB)  and  1-bit  and  8-bit  CFB. 

Even  and  Goldreich  [376]  discuss  the  unicity  distance  of  cascade  ciphers  under  known- 
plaintext  attack  (Fact  7.35),  present  a generalized  time-memory  meet-in-the-middle  trade- 
off (Note  7.38),  and  give  several  other  concise  results  on  cascades,  including  that  under 
reasonable  assumptions,  the  number  of  permutations  realizable  by  a cascade  of  L random 
cipher  stages  is,  with  high  probability,  2Lk. 

Diffie  and  Heilman  [346]  noted  the  meet-in-the-middle  attack  on  double  encryption  (Fact 
7.33),  motivating  their  recommendation  that  multiple  encipherment,  if  used,  should  be  at 
least  three-fold;  Hoffman  [558]  credits  them  with  suggesting  E-E-E  triple  encryption  with 
three  independent  keys.  Merkle’s  June  1979  thesis  [850]  explains  the  attack  on  two-key 
triple-encryption  of  Fact  7.39  (see  also  Merkle  and  Heilman  [858]),  and  after  noting  Tuch- 
man’s  proposal  of  two-key  E-D-E  triple  encryption  in  a June  1978  conference  talk  ( National 
Computer  Conference , Anaheim,  CA;  see  also  [1199]),  recommended  that  E-D-E  be  used 
with  three  independent  keys:  7?k3(£'a4(-^'^i(x)))-  The  two-key  E-D-E  idea,  adopted  in 
ANSI  X9.17  [37]  and  ISO  8732  [578],  was  reportedly  conceived  circa  April  1977  by  Tuch- 
man’s  colleagues,  Matyas  and  Meyer.  The  attack  of  Fact  7.40  is  due  to  van  Oorschot  and 
Wiener  [1206].  See  Coppersmith,  Johnson,  and  Matyas  [278]  for  a proposed  construction 
for  a triple-DES  algorithm.  Other  techniques  intended  to  extend  the  strength  of  DES  in- 
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elude  the  DESX  proposal  of  Rivest  as  analyzed  by  Kilian  and  Rogaway  [672],  and  the  work 
of  Biham  and  Biryukov  [133]. 

Heilman  [549]  proposes  a time-memory  tradeoff  for  exhaustive  key  search  on  a cipher  with 
N = 2m  ciphertexts  requiring  a chosen-plaintext  attack,  0(iV2/3)  time  and  0(N 2/3)  space 
after  an  0(N ) precomputation;  search  time  can  be  reduced  somewhat  by  use  of  Rivest’s 
suggestion  of  distinguished  points  (see  Denning  [326,  p.100]).  Kusuda  and  Matsumoto 
[722]  recently  extended  this  analysis.  Fiat  and  Naor  [393]  pursue  time-memory  tradeoffs 
for  more  general  functions.  Amirazizi  and  Heilman  [25]  note  that  time-memory  tradeoff 
with  constant  time-memory  product  offers  no  asymptotic  cost  advantage  over  exhaustive 
search;  they  examine  tradeoffs  between  time,  memory,  and  parallel  processing,  and  using 
standard  parallelization  techniques,  propose  under  a simplified  model  a search  machine  ar- 
chitecture for  which  doubling  the  machine  budget  (cost)  increases  the  solution  rate  four- 
fold. This  approach  may  be  applied  to  exhaustive  key  search  on  double-encryption,  as  can 
the  parallel  collision  search  technique  of  van  Oorschot  and  Wiener  [1207,  1208];  see  also 
Quisquater  and  Delescaille  [1017,  1018]. 

Regarding  Note  7.41,  see  Biham  [131]  (and  earlier  [130])  as  well  as  Coppersmith,  John- 
son, and  Matyas  [278].  Biham’s  analysis  on  DES  and  FEAL  shows  that,  in  many  cases,  the 
use  of  intermediate  data  as  feedback  into  an  intermediate  stage  reduces  security.  15  years 
earlier,  reflecting  on  his  chosen-plaintext  attack  on  two-key  triple-encryption,  Merkle  [850, 
p.149]  noted  “multiple  encryption  with  any  cryptographic  system  is  liable  to  be  much  less 
secure  than  a system  designed  originally  for  the  longer  key”. 

Maurer  and  Massey  [822]  formalize  Fact  7.42,  where  “break”  means  recovering  plaintext 
from  ciphertext  (under  a known-plaintext  attack)  or  recovering  the  key;  the  results  hold  also 
for  chosen-plaintext  and  chosen-ciphertext  attack.  They  illustrate,  however,  that  the  ear- 
lier result  and  commonly-held  belief  proven  by  Even  and  Goldreich  [376]  - that  a cascade 
is  as  strong  as  any  of  its  component  ciphers  - requires  the  important  qualifying  (and  non- 
practical)  assumption  that  an  adversary  will  not  exploit  statistics  of  the  underlying  plaintext; 
thus,  the  intuitive  result  is  untrue  for  most  practical  ciphertext-only  attacks. 

Kahn  [648]  is  the  definitive  historical  reference  for  classical  ciphers  and  machines  up  to 
1967,  including  much  of  §7.3  and  the  notes  below.  The  selection  of  classical  ciphers  pre- 
sented largely  follows  Shannon's  lucid  1949  paper  [1121].  Standard  references  for  classical 
cryptanalysis  include  Friedman  [423],  Gaines  [436],  and  Sinkov  [1152].  More  recent  books 
providing  expository  material  on  classical  ciphers,  machines,  and  cryptanalytic  examples 
include  Beker  and  Piper  [84],  Meyer  and  Matyas  [859],  Denning  [326],  and  Davies  and 
Price  [308]. 

Polyalphabetic  ciphers  were  invented  circa  1467  by  the  Florentine  architect  Alberti,  who 
devised  a cipher  disk  with  a larger  outer  and  smaller  inner  wheel,  respectively  indexed  by 
plaintext  and  ciphertext  characters.  Fetter  alignments  defined  a simple  substitution,  modi- 
fied by  rotating  the  disk  after  enciphering  a few  words.  The  first  printed  book  on  cryptogra- 
phy, Polygraphia,  written  in  1508  by  the  German  monk  Trithemius  and  published  in  1518, 
contains  the  first  tableau  - a square  table  on  24  characters  listing  all  shift  substitutions  for  a 
fixed  ordering  of  plaintext  alphabet  characters.  Tableau  rows  were  used  sequentially  to  sub- 
stitute one  plaintext  character  each  for  24  letters,  where-after  the  same  tableau  or  one  based 
on  a different  alphabet  ordering  was  used.  In  1553  Belaso  (from  Fombardy)  suggested  us- 
ing an  easily  changed  key  (and  key-phrases  as  memory  aids)  to  define  the  fixed  alphabetic 
(shift)  substitutions  in  a polyalphabetic  substitution.  The  1563  book  of  Porta  (from  Naples) 
noted  the  ordering  of  tableau  letters  may  define  arbitrary  substitutions  (vs.  simply  shifted 
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alphabets). 

Various  polyalphabetic  auto-key  ciphers,  wherein  the  key  changes  with  each  message  (the 
alteration  depending  on  the  message),  were  explored  in  the  16th  century,  most  significantly 
by  the  Frenchman  B.  de  Vigenere.  His  1586  book  Traicte  des  Chiffres  proposed  the  com- 
bined use  of  a mixed  tableau  (mixed  alphabet  on  both  the  tableau  top  and  side)  and  an  auto- 
keying technique  (cf.  Example  7.61).  A single  character  served  as  a priming  key  to  select 
the  tableau  row  for  the  first  character  substitution,  where-after  the  ith  plaintext  character 
determined  the  alphabet  (tableau  row)  for  substituting  the  next.  The  far  less  secure  simple 
Vigenere  cipher  (Definition  7.53)  is  incorrectly  attributed  to  Vigenere. 

The  Playfair  cipher  (Example  7.51),  popularized  by  L.  Playfair  in  England  circa  1854  and 
invented  by  the  British  scientist  C.  Wheatstone,  was  used  as  a British  field  cipher  [648,  p.6]. 
J.  Mauborgne  (see  also  the  Vernam  and  PURPLE  ciphers  below)  is  credited  in  1914  with 
the  first  known  solution  of  this  digram  cipher. 

The  Jefferson  cylinder  was  designed  by  American  statesman  T.  Jefferson,  circa  1790-1800. 
In  1817,  fellow  American  D.  Wadsworth  introduced  the  principle  of  plaintext  and  cipher- 
text  alphabets  of  different  lengths.  His  disk  ( cf.  Alberti  above)  implemented  a cipher  similar 
to  Trithemius’  polyalphabetic  substitution,  but  wherein  the  various  alphabets  were  brought 
into  play  irregularly  in  a plaintext-dependent  manner,  foreshadowing  both  the  polyalpha- 
betic ciphers  of  later  20th  century  rotor  machines,  and  the  concept  of  chaining.  The  inner 
disk  had  26  letters  while  the  outer  had  an  additional  7 digits;  one  full  revolution  of  the  larger 
caused  the  smaller  to  advance  7 characters  into  its  second  revolution.  The  driving  disk  was 
always  turned  in  the  same  clockwise  sense;  when  the  character  revealed  through  an  aperture 
in  the  plaintext  disk  matched  the  next  plaintext  character,  that  visible  through  a correspond- 
ing ciphertext  aperture  indicated  the  resulting  ciphertext.  In  1867,  Wheatstone  displayed 
an  independently  devised  similar  device  thereafter  called  the  Wheatstone  disc , receiving 
greater  attention  although  less  secure  (having  disks  of  respectively  26  and  27  characters, 
the  extra  character  a plaintext  space). 

Vernam  [1222]  recorded  his  idea  for  telegraph  encryption  in  1917;  a patent  filed  in  Septem- 
ber 1918  was  issued  July  1919.  Vernam’s  device  combined  a stream  of  plaintext  (5-bit  Bau- 
dot coded)  characters,  via  XOR,  with  a keystream  of  5-bit  (key)  values,  resulting  in  the  Ver- 
nam cipher  (a  term  often  used  for  related  techniques).  This,  the  first  polyalphabetic  substi- 
tution automated  using  electrical  impulses,  had  period  equal  to  the  length  of  the  key  stream; 
each  5-bit  key  value  determined  one  of  32  fixed  mono-alphabetic  substitutions.  Credit  for 
the  actual  one-time  system  goes  to  J.  Mauborgne  (U.S.  Army)  who,  after  seeing  Vernam’s 
device  with  a repeated  tape,  realized  that  use  of  a random,  non-repeated  key  improved  se- 
curity. While  Vernam’s  device  was  a commercial  failure,  a related  German  system  engi- 
neered by  W.  Kunze,  R.  Schauffler,  and  E.  Langlotz  was  put  into  practice  circa  1921-1923 
for  German  diplomatic  communications;  their  encryption  system,  which  involved  manu- 
ally adding  a key  string  to  decimal-coded  plaintext,  was  secured  by  using  as  the  numerical 
key  a random  non-repeating  decimal  digit  stream  - the  original  one-time  pad.  Pads  of  50 
numbered  sheets  were  used,  each  with  48  five-digit  groups;  no  pads  were  repeated  aside  for 
one  identical  pad  for  a communicating  partner,  and  no  sheet  was  to  be  used  twice;  sheets 
were  destroyed  once  used.  The  Vernam  cipher  proper,  when  used  as  a one-time  system,  in- 
volves only  32  alphabets,  but  provides  more  security  than  rotor  machines  with  a far  greater 
number  of  alphabets  because  the  latter  eventually  repeat,  whereas  there  is  total  randomness 
(for  each  plaintext  character)  in  selecting  among  the  32  Vernam  alphabets. 

The  matrix  cipher  of  Example  7.52  was  proposed  in  1929  by  Hill  [557],  providing  a practi- 
cal method  forpolygraphic  substitution,  albeit  a linear  transformation  susceptible  to  known- 
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plaintext  attack.  Hill  also  recognized  that  using  an  involution  as  the  encryption  mapping  al- 
lowed the  same  function  to  provide  decryption.  Recent  contributions  on  homophonic  sub- 
stitution include  Gunther  [529]  and  Jendal,  Kuhn,  and  Massey  [636]. 

Among  the  unrivalled  cryptanalytic  contributions  of  the  Russian-born  American  Friedman 
is  his  1920  Riverbank  Publication  no.22  [426]  on  cryptanalysis  using  the  index  of  coinci- 
dence. Friedman  coined  the  term  cryptanalysis  in  1920,  using  it  in  his  1923  book  Elements 
of  Cryptanalysis  [425],  a 1944  expansion  of  which.  Military  Cryptanalysis  [423],  remains 
highly  recommended.  The  method  of  Kasiski  ( from  West  Prussia)  was  originally  published 
in  1863;  see  Kahn  [648,  pp.208-213]  for  a detailed  example.  The  discussion  on  IC  and  MR 
follows  that  of  Denning  [326],  itself  based  on  Sinkov  [1152].  Fact  7.75  follows  from  a stan- 
dard expectation  computation  weighted  by  np  or  nr  depending  on  whether  the  second  of  a 
pair  of  randomly  selected  ciphertext  characters  is  from  the  same  ciphertext  alphabet  or  one 
of  the  t — 1 remaining  alphabets.  The  values  in  Table  7.1  are  from  Kahn  [648],  and  vary 
somewhat  over  time  as  languages  evolve. 

Friedman  teaches  how  to  cryptanalyze  running-key  ciphers  in  his  (circa  1918)  Riverbank 
Publication  no.  16,  Methods  for  the  Solution  of  Running-Key  Ciphers',  the  two  basic  tech- 
niques are  outlined  by  Diffie  and  Heilman  [347] . The  first  is  a probable  word  attack  wherein 
an  attacker  guesses  an  (e.g.,  10  character)  word  hopefully  present  in  underlying  text,  and 
subtracts  that  word  (mod  26)  from  all  possible  starting  locations  in  the  ciphertext  in  hopes 
of  finding  a recognizable  10-character  result,  where-after  the  guessed  word  (as  either  par- 
tial running-key  or  plaintext)  might  be  extended  using  context.  Probable-word  attacks  also 
apply  to  polyalphabetic  substitution.  The  second  technique  is  based  on  the  fact  that  each 
ciphertext  letter  c results  from  a pair  of  plaintext/running -key  letters  {rri.j,  m'),  and  is  most 
likely  to  result  from  such  pairs  wherein  both  m,  and  m'  are  high-frequency  characters;  one 
isolates  the  highest-probability  pairs  for  each  such  ciphertext  character  value  c,  makes  trial 
assumptions,  and  attempts  to  extend  apparently  successful  guesses  by  similarly  decrypting 
adjacent  ciphertext  characters;  see  Denning  [326,  p.83]  for  a partial  example.  Diffie  and 
Heilman  [347]  note  Fact  7.59  as  an  obvious  method  that  is  little-used  (modern  ciphers  be- 
ing more  convenient);  their  suggestion  that  use  of  four  iterative  running  keys  is  unbreakable 
follows  from  English  being  75%  redundant.  They  also  briefly  summarize  various  scram- 
bling techniques  (encryption  via  analog  rather  than  digital  methods),  noting  that  analog 
scramblers  are  sometimes  used  in  practice  due  to  lower  bandwidth  and  cost  requirements, 
although  such  known  techniques  appear  relatively  insecure  (possibly  an  inherent  character- 
istic) and  their  use  is  waning  as  digital  networks  become  prevalent. 

Denning  [326]  tabulates  digrams  into  high,  medium,  low,  and  rare  classes.  Konheim  [705, 
p.24]  provides  transition  probabilities  p(t\s),  the  probability  that  the  next  letter  is  t,  given 
that  the  current  character  is  s in  English  text,  in  a table  also  presented  by  H.  van  Tilborg 
[1210].  Single-letter  distributions  in  plaintext  languages  other  than  English  are  given  by 
Davies  and  Price  [308],  The  letter  frequencies  in  Figure  7.5,  which  should  be  interpreted 
only  as  an  estimate,  were  derived  by  Meyer  and  Matyas  [859]  using  excerpts  totaling  4 mil- 
lion characters  from  the  1964  publication:  W.  Francis,  A Standard  Sample  of  Present-Day 
Edited  American  English  for  Use  with  Digital  Computers,  Linguistics  Dept.,  Brown  Uni- 
versity, Providence,  Rhode  Island,  USA.  Figure  7.6  is  based  on  data  from  Konheim  [705, 
p.19]  giving  an  estimated  probability  distribution  of  2-grams  in  English,  derived  from  a 
sample  of  size  67  320  digrams. 

See  Shannon  [1122]  and  Cover  and  King  [285]  regarding  redundancy  and  Fact  7.67.  While 
not  proven  in  any  concrete  manner.  Fact  7.68  is  noted  by  Friedman  [424]  and  generally 
accepted.  Unicity  distance  was  defined  by  Shannon  [1121],  Related  issues  are  discussed  in 
detail  in  various  appendices  of  Meyer  and  Matyas  [859],  Fact  7.71  and  the  random  cipher 
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model  are  due  to  Shannon  [1121];  see  also  Heilman  [548], 

Diffie  and  Heilman  [347]  give  an  instructive  overview  of  rotor  machines  (see  also  Denning 
[326]),  and  note  their  use  in  World  War  II  by  the  Americans  in  their  highest  level  system,  the 
British,  and  the  Germans  (Enigma);  they  also  give  Fact  7.63  and  the  number  of  characters 
required  under  ciphertext-only  and  known-plaintext  attacks  (Note  7.66).  Beker  and  Piper 
[84]  provide  technical  details  of  the  Hagelin  M-209,  as  does  Kahn  [648,  pp. 427-431]  who 
notes  its  remarkable  compactness  and  weight:  3.25  x 5.5  x 7 inches  and  6 lb.  (including 
case);  see  also  Barker  [74],  Morris  [906],  and  Rivest  [1053].  Davies  and  Price  [308]  briefly 
discuss  the  Enigma,  noting  it  was  cryptanalyzed  during  World  War  II  in  Poland,  France,  and 
then  in  the  U.K.  (Bletchley  Park);  see  also  Konheim  [705], 

The  Japanese  PURPLE  cipher,  used  during  World  War  II,  was  a polyalphabetic  cipher  crypt- 
analyzed August  1940  [648,  p.18-23]  by  Friedman’s  team  in  the  U.S.  Signal  Intelligence 
Service,  under  (Chief  Signal  Officer)  Mauborgne.  The  earlier  RED  cipher  used  two  rotor 
arrays;  preceding  it,  the  ORANGE  system  implemented  a vowels-to-vowels,  consonants- 
to-consonants  cipher  using  sets  of  rotors. 

The  concept  of  fractionation,  related  to  product  ciphers,  is  noted  by  Feistel  [387],  Shannon 
[1121],  and  Kahn  [648,  p.344]  who  identifies  this  idea  in  an  early  product  cipher,  the  WWI 
German  ADFGVX  field  cipher.  As  an  example,  an  encryption  function  might  operate  on 
a block  of  t = 8 plaintext  characters  in  three  stages  as  follows:  the  first  substitutes  two 
symbols  for  each  individual  character;  the  second  transposes  (mixes)  the  substituted  sym- 
bols among  themselves;  the  third  re-groups  adjacent  resulting  symbols  and  maps  them  back 
to  the  plaintext  alphabet.  The  action  of  the  transposition  on  partial  (rather  than  complete) 
characters  contributes  to  the  strength  of  the  principle. 

Shannon  [1121,  §5  and  §23-26]  explored  the  idea  of  the  product  of  two  ciphers,  noted  the 
principles  of  confusion  and  diffusion  (Remark  1.36),  and  introduced  the  idea  of  a mixing 
transformation  F (suggesting  a preliminary  transposition  followed  by  a sequence  of  alter- 
nating substitution  and  simple  linear  operations),  and  combining  ciphers  in  a product  using 
an  intervening  transformation  F . Transposition  and  substitution,  respectively,  rest  on  the 
principles  of  diffusion  and  confusion.  Harpes,  Kramer,  and  Massey  [541]  discuss  a general 
model  for  iterated  block  ciphers  (cf.  Definition  7.80). 

The  name  Lucifer  is  associated  with  two  very  different  algorithms.  The  first  is  an  SP  net- 
work described  by  Feistel  [387],  which  employs  (bitwise  nonlinear)  4x4  invertible  S- 
boxes;  the  second,  closely  related  to  DES  (albeit  significantly  weaker),  is  described  by 
Smith  [1160]  (see  also  Sorkin  [1165]).  Principles  related  to  both  are  discussed  by  Feis- 
tel, Notz,  and  Smith  [388];  both  are  analyzed  by  Biham  and  Shamir  [138],  and  the  latter  in 
greater  detail  by  Ben-Aroya  and  Biham  [108]  whose  extension  of  differential  cryptanaly- 
sis allows,  using  236  chosen  plaintexts  and  complexity,  attack  on  55%  of  the  key  space  in 
Smith's  Lucifer  - still  infeasible  in  practice,  but  illustrating  inferiority  to  DES  despite  the 
longer  128-bit  key. 

Feistel's  product  cipher  Lucifer  [387],  instantiated  by  a blocksize  n = 128,  consists  of  an 
unspecified  number  of  alternating  substitution  and  permutation  ( transposition)  stages,  using 
a fixed  (unpublished)  n-bit  permutation  P and  32  parallel  identical  S-boxes  each  effecting 
a mapping  Sq  or  Si  (fixed  but  unpublished  bijections  on  {0,  l}4),  depending  on  the  value 
of  one  key  bit;  the  unpublished  key  schedule  requires  32-bits  per  S-box  stage.  Each  stage 
operates  on  all  n bits;  decryption  is  by  stage-wise  inversion  of  P and  5 j . 

The  structure  of  so-called  Feistel  ciphers  (Definition  7.81)  was  first  introduced  in  the  Lu- 
cifer algorithm  of  Smith  [1160],  the  direct  predecessor  of  DES.  This  16-round  algorithm 
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with  128-bit  key  operates  on  alternating  half-blocks  of  a 128-bit  message  block  with  a sim- 
plified / function  based  on  two  published  invertible  4 x 4 bit  S-boxes  So  and  ,S'i  (cf.  above). 
Feistel,  Notz,  and  Smith  [388]  discuss  both  the  abstract  Feistel  cipher  structure  (suggesting 
its  use  with  non-invertible  S-boxes)  and  SP  networks  based  on  invertible  (distinct)  S-boxes. 
Suggestions  for  SP  networks  include  the  use  of  single  key  bits  to  select  one  of  two  map- 
pings (a  fixed  bijectionorits  inverse)  from  both  S-boxes  and  permutation  boxes;  decryption 
then  uses  a reversed  key  schedule  with  complemented  key.  They  also  noted  the  multi-round 
avalanche  effect  of  changing  a single  input  bit,  subsequently  pursued  by  Kam  and  Davida 
[659]  in  relation  to  SP  networks  and  S-boxes  having  a completeness  property:  for  every  pair 
of  bit  positions  i,  j,  there  must  exist  at  least  two  input  blocks  x,  y which  differ  only  in  bit  i 
and  whose  outputs  differ  in  at  least  bit  j.  More  simply,  a function  is  complete  if  each  output 
bit  depends  on  all  input  bits.  Webster  and  Tavares  [1233]  proposed  the  more  stringent  strict 
avalanche  criterion:  whenever  one  input  bit  is  changed,  every  output  bit  must  change  with 
probability  1/2. 

DES  resulted  from  IBM’s  submission  to  the  1974  U.S.  National  Bureau  of  Standards  (NBS) 
solicitation  for  encryption  algorithms  for  the  protection  of  computer  data.  The  original 
specification  is  the  1977  U.S.  Federal  Information  Processing  Standards  Publication  46 
[396],  reprinted  in  its  entirety  as  Appendix  A in  Meyer  and  Matyas  [859].  DES  is  now  spec- 
ified in  FIPS  46-2,  which  succeeded  FIPS  46-1 ; the  same  cipher  is  defined  in  the  American 
standard  ANSI  X3.92  [33]  and  referred  to  as  the  Data  Encryption  Algorithm  (DEA).  Differ- 
ences between  FIPS  46/46-1  and  ANSI  X3.92  included  the  following:  these  earlier  FIPS 
required  that  DES  be  implemented  in  hardware  and  that  the  parity  bits  be  used  for  parity; 
ANSI  X3.92  specifies  that  the  parity  bits  may  be  used  for  parity.  Although  no  purpose  was 
stated  by  the  DES  designers  for  the  permutations  IP  and  IP-1,  Preneel  et  al.  [1008]  provided 
some  evidence  of  their  cryptographic  value  in  the  CFB  mode. 

FIPS  81  [398]  specifies  the  common  modes  of  operation.  Davies  and  Price  [308]  provide  a 
comprehensive  discussion  of  both  DES  and  modes  of  operation;  see  also  Diffie  and  Heilman 
[347],  and  the  extensive  treatment  of  Meyer  and  Matyas  [859],  The  survey  of  Smid  and 
Branstad  [1156]  discusses  DES,  its  history,  and  its  use  in  the  U.S.  government.  Test  vectors 
for  various  modes  of  DES,  including  the  ECB  vectors  of  Example  7.86,  may  be  found  in 
ANSI  X3.106  [34].  Regarding  exhaustive  cryptanalysis  of  DES  and  related  issues,  see  also 
the  notes  under  §7.2. 

The  1981  publication  FIPS  74  [397]  notes  that  DES  is  not  (generally)  commutative  under 
two  keys,  and  summarizes  weak  and  semi-weak  keys  using  the  term  dual  keys  to  include 
both  (weak  keys  being  self-dual);  see  also  Davies  [303]  and  Davies  and  Price  [308].  Cop- 
persmith [268]  noted  Fact  7.90;  Moore  and  Simmons  [900]  pursue  weak  and  semi-weak 
DES  keys  and  related  phenomena  more  rigorously. 

The  56-bit  keylength  of  DES  was  criticized  from  the  outset  as  being  too  small  (e.g.,  see 
Diffie  and  Heilman  [346],  and  p.272  above).  Claims  which  have  repeatedly  arisen  and  been 
denied  (e.g.,  see  Tuchman  [1199])  over  the  past  20  years  regarding  built-in  weaknesses  of 
DES  (e.g.,  trap-door  S-boxes)  remain  un-substantiated.  Fact  7.91  is  significant  in  that  if  the 
permutation  group  were  closed  under  composition,  DES  would  fall  to  a known-plaintext 
attack  requiring  228  steps  - see  Kaliski,  Rivest,  and  Sherman  [654],  whose  cycling  exper- 
iments provided  strong  evidence  against  this.  Campbell  and  Wiener  [229]  prove  the  fact 
conclusively  (and  give  the  stated  lower  bound),  through  their  own  cycling  experiments  uti- 
lizing collision  key  search  and  an  idea  outlined  earlier  by  Coppersmith  [268]  for  establish- 
ing a lower  bound  on  the  group  size;  they  attribute  to  Coppersmith  the  same  result  (in  un- 
published work),  which  may  also  be  deduced  from  the  cycle  lengths  published  by  Moore 
and  Simmons  [901], 
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Countless  papers  have  analyzed  various  properties  of  DES;  Davies  and  Price  [308,  pp.73- 
75]  provide  a partial  summary  to  1987.  Subsequent  to  the  discovery  of  differential  crypt- 
analysis (DC)  by  Biham  and  Shamir,  Coppersmith  [271]  explains  how  DES  was  specifically 
designed  15  years  earlier  to  counter  DC,  citing  national  security  concerns  regarding  the  de- 
sign team  publishing  neither  the  attack  nor  design  criteria;  then  gives  the  (relevant)  design 
criteria  - some  already  noted  by  others,  e.g.,  see  Heilman  et  al.  [552]  - for  DES  S-boxes 
and  the  permutation  P,  explaining  how  these  preclude  DC.  Coppersmith  notes  elements  of 
DC  were  present  in  the  work  of  den  Boer  [322],  followed  shortly  by  Murphy  [913].  DES 
was  not,  however,  specifically  designed  to  preclude  linear  cryptanalysis  (LC);  Matsui  [797] 
illustrates  the  order  of  the  8 DES  S-boxes,  while  a strong  (but  not  optimal)  choice  against 
DC,  is  relatively  weak  against  LC,  and  that  DES  can  be  strengthened  (vs.  DC  and  LC)  by 
carefully  re-arranging  these.  Despite  Remark  7.93,  a DES  key  has  actually  been  recovered 
by  Matsui  [795]  using  LC  under  experimental  conditions  (using  243  known-plaintext  pairs 
from  randomly  generated  plaintexts,  and  243  complexity  running  twelve  99  MHz  machines 
over  50  days);  such  a result  remains  to  be  published  for  exhaustive  search  or  DC. 

Ben-Aroya  and  Biham  [108]  note  that  often  suggestions  to  redesign  DES,  some  based  on  de- 
sign criteria  and  attempts  to  specifically  resist  DC,  have  resulted  in  (sometimes  far)  weaker 
systems,  including  the  RDES  (randomized  DES)  proposal  of  Koyama  and  Terada  [709], 
which  fall  to  variant  attacks.  The  lesson  is  that  in  isolation,  individual  design  principles  do 
not  guarantee  security. 

DES  alternatives  are  sought  not  only  due  to  the  desire  for  a keylength  exceeding  56  bits, 
but  also  because  its  bit-oriented  operations  are  inconvenient  in  conventional  software  im- 
plementations, often  resulting  in  poor  performance;  this  makes  triple-DES  less  attractive. 
Regarding  fast  software  implementations  of  DES,  see  Shepherd  [1124],  Pfitzmann  and  A6- 
mann  [970],  and  Feldmeier  and  Kam  [391]. 

FEAL  stimulated  the  development  of  a sequence  of  advanced  cryptanalytic  techniques  of 
unparalleled  richness  and  utility.  While  it  appears  to  remain  relatively  secure  when  iterated 
a sufficient  number  of  rounds  (e.g.,  24  or  more),  this  defeats  its  original  objective  of  speed. 
FEAL-4  as  presented  at  Eurocrypt’  87  (Abstracts  of  Eurocrypt’  87,  April  1987)  was  found  to 
have  certain  vulnerabilities  by  den  Boer  (unpublished  Eurocrypt’ 87  rump  session  talk),  re- 
sulting in  Shimizu  and  Miyaguchi  [1126]  (or  see  Miyaguchi,  Shiraishi,  and  Shimizu  [887]) 
increasing  FEAL  to  8 rounds  in  the  final  proceedings.  In  1988  den  Boer  [322]  showed 
FEAL-4  vulnerable  to  an  adaptive  chosen  plaintext  attack  with  100  to  10  000  plaintexts.  In 
1990,  Gilbert  and  Chasse  [455]  devised  a chosen-plaintext  attack  (called  a statistical  meet- 
in-the-middle  attack)  on  FEAL-8  requiring  10  000  pairs  of  plaintexts,  the  bitwise  XOR  of 
each  pair  being  selected  to  be  an  appropriate  constant  (thus  another  early  variant  of  differ- 
ential cryptanalysis). 

FEAL-N  with  N rounds,  and  its  extension  FEAL-NX  with  128-bit  key  (Notes  7.97  and 
7.98)  were  then  published  by  Miyaguchi  [884]  (or  see  Miyaguchi  et  al.  [885]),  who  nonethe- 
less opined  that  chosen-plaintext  attacks  on  FEAL-8  were  not  practical  threats.  However, 
improved  chosen-plaintext  attacks  were  subsequently  devised,  as  well  as  known-plaintext 
attacks.  Employing  den  Boer’s  G function  expressing  linearity  in  the  FEAL  /-function, 
Murphy  [913]  defeated  FEAL-4  with  20  chosen  plaintexts  in  under  4 hours  (under  1 hour 
for  most  keys)  on  a Sun  3/60  workstation.  A statistical  method  of  Tardy-Corfdir  and  Gilbert 
[1187]  then  allowed  a known-plaintext  attack  on  FEAL-4  (1000  texts;  or  200  in  an  an- 
nounced improvement)  and  FEAL-6  (2  x 10  000  texts),  involving  linear  approximation  of 
FEAL  S-boxes.  Thereafter,  the  first  version  of  linear  cryptanalysis  (LC)  introduced  by  Mat- 
sui and  Yamagishi  [798]  allowed  known-plaintext  attack  of  FEAL-4  (5  texts,  6 minutes  on 
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a 25MHz  68040  processor),  FEAL-6  (100  texts,  40  minutes),  and  FEAL-8  (228  texts,  in 
time  equivalent  to  exhaustive  search  on  50-bit  keys);  the  latter  betters  the  238  texts  required 
for  FEAL-8  by  Biham  and  Shamir  [136]  in  their  known-plaintext  conversion  of  differen- 
tial cryptanalysis  (DC).  Biham  and  Shamir  [138,  p.101]  later  implemented  a DC  chosen- 
plaintext  attack  recovering  FEAL-8  keys  in  two  minutes  on  a PC  using  128  chosen  pairs, 
the  program  requiring  280K  bytes  of  storage.  Biham  [132]  subsequently  used  LC  to  defeat 
FEAL-8  with  224  known-plaintexts  in  10  minutes  on  a personal  computer.  Ohta  and  Aoki 
[943]  suggest  that  FEAL-32  is  as  secure  as  DES  against  DC,  while  FEAL-16  is  as  secure 
as  DES  against  certain  restricted  forms  of  LC. 

Differential-linear  cryptanalysis  was  introduced  by  Langford  and  Heilman  [741],  combin- 
ing linear  and  differential  cryptanalysis  to  allow  a reduced  8-round  version  of  DES  to  be 
attacked  with  fewer  chosen-plaintexts  than  previous  attacks.  Aoki  and  Ohta  [53]  refined 
these  ideas  for  FEAL-8  yielding  a differential-linear  attack  requiring  only  12  chosen  texts 
and  35  days  of  computer  time  (cf.  Table  7.10). 

Test  vectors  for  FEAL-N  and  FEAL-NX  (Example  7.99)  are  given  by  Miyaguchi  [884]. 
The  DC  attack  of  Biham  and  Shamir  [137],  which  finds  FEAL-N  subkeys  themselves,  is 
equally  as  effective  on  FEAL-NX.  Biham  [132]  notes  that  an  LC  attack  on  FEAL-N  is  pos- 
sible with  less  than  264  known  plaintexts  (and  complexity)  for  up  to  N = 20.  For  additional 
discussion  of  properties  of  FEAL,  see  Biham  and  Shamir  [138,  §6.3]. 

The  primary  reference  for  IDEA  is  Lai  [726].  A preliminary  version  introduced  by  Lai  and 
Massey  [728]  was  named  PES  (Proposed  Encryption  Standard).  Lai,  Massey,  and  Murphy 
[730]  showed  that  a generalization  (see  below)  of  differential  cryptanalysis  (DC)  allowed 
recovery  of  PES  keys,  albeit  requiring  all  264  possible  ciphertexts  (cf.  exhaustive  search 
of  2128  operations).  Minor  modifications  resulted  in  IPES  (Improved  PES):  in  stage  r,  1 < 

(r)  (r) 

r < 9,  the  group  operations  keyed  by  A 2 and  K\  (ES  and  ©in  Figure  7. 11)  were  reversed 
from  PES;  the  permutation  on  16-bit  blocks  after  stage  r,  1 < r < 9,  was  altered;  and 
necessary  changes  were  made  in  the  decryption  (but  not  encryption)  key  schedule.  IPES 
was  commercialized  under  the  name  IDEA,  and  is  patented  (see  Chapter  15). 

The  ingenious  design  of  IDEA  is  supported  by  a careful  analysis  of  the  interaction  and  alge- 
braic incompatibilities  of  operations  across  the  groups  (F2",  ©),  (Z2  r> , EE),  and  (Z?i  „+1 , ©). 
The  design  of  the  MA  structure  (see  Figure  7.11)  results  in  IDEA  being  “complete”  after  a 
single  round;  for  other  security  properties,  see  Lai  [726].  Regarding  mixing  operations  from 
different  algebraic  systems,  see  also  the  1974  examination  by  Grossman  [522]  of  transfor- 
mations arising  by  alternating  mod  2n  and  mod  2 addition  (0),  and  the  use  of  arithmetic 
modulo  232  — 1 and  232  — 2 in  MAA  (Algorithm  9.68). 

Daemen  [292,  289]  identifies  several  classes  of  so-called  weak  keys  for  IDEA , and  notes  a 
small  modification  to  the  key  schedule  to  eliminate  them.  The  largest  is  a class  of  251  keys 
for  which  membership  can  be  tested  in  two  encryptions  plus  a small  number  of  computa- 
tions, whereafter  the  key  itself  can  be  recovered  using  16  chosen  plaintext-difference  en- 
cryptions, on  the  order  of  216  group  operations,  plus  21 ' key  search  encryptions.  The  prob- 
ability of  a randomly  chosen  key  being  in  this  class  is  251/2128  = 2 ' ' . A smaller  number 
of  weak  key  blocks  were  observed  earlier  by  Lai  [726],  and  dismissed  as  inconsequential. 
The  analysis  of  Meier  [832]  revealed  no  attacks  feasible  against  full  8-round  IDEA,  and 
supports  the  conclusion  of  Lai  [726]  that  IDEA  appears  to  be  secure  against  DC  after  4 of 
its  8 rounds  (cf.  Note  7. 107).  Daemen  [289]  also  references  attacks  on  reduced-round  vari- 
ants of  IDEA.  While  linear  cryptanalysis  (LC)  can  be  applied  to  any  iterated  block  cipher. 
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Harpes,  Kramer,  and  Massey  [541]  provide  a generalization  thereof;  IDEA  and  SAFER  K- 
64  are  argued  to  be  secure  against  this  particular  generalization. 

Lai,  Massey,  and  Murphy  [730]  (see  also  Lai  [726])  generalized  DC  to  apply  to  Markov 
ciphers  (which  they  introduced  for  this  purpose;  DES,  FEAL,  and  LOKI  are  all  examples 
under  the  assumption  of  independent  round  keys)  including  IDEA;  broadened  the  notion  of 
a difference  from  that  based  on  0 to:  AX  = X 0 ( X *)~1  where  0 is  a specified  group 
operation  and  (X*  ) 1 is  the  group  inverse  of  an  element  X*;  and  defined  an  i-round  differ- 
ential (as  opposed  to  an  i-round  characteristic  used  by  Biham  and  Shamir  [138]  on  DES)  to 
be  a pair  (a,  0)  such  that  two  distinct  plaintexts  with  difference  AX  = a results  in  a pair 
of  round  i outputs  with  difference  0 

Decimal  values  corresponding  to  Tables  7.12  and  7.13  may  be  found  in  Lai  [726].  A table- 
based  alternative  for  multiplication  mod  216  + 1 (cf.  Note  7.104)  is  to  look  up  the  anti-log 
of  loga(a)  + loga(6)  mod  216,  relative  to  a generator  a of  Z2ie+1;  the  required  tables, 
however,  are  quite  large. 

Massey  [787]  introduced  SAFER  K-64  with  a 64-bit  key  and  initially  recommended  6 
rounds,  giving  a reference  implementation  and  test  vectors  (cf.  Example  7.114).  It  is  not 
patented.  Massey  [788]  then  published  SAFER  K-128  (with  a reference  implementation), 
differing  only  in  its  use  of  a non-proprietary  (and  backwards  compatible)  key  schedule  ac- 
commodating 128-bit  keys,  proposed  by  a Singapore  group;  10  rounds  were  recommended 
(12  maximum).  Massey  [788]  gave  further  justification  for  design  components  of  SAFER 
K-64.  Vaudenay  [1215]  showed  SAFER  K-64  is  weakened  if  the  S-box  mapping  (Re- 
mark 7.1 12)  is  replaced  by  a random  permutation. 

Knudsen  [685]  proposed  the  modified  key  schedule  of  Note  7.110  after  finding  a weakness 
in  6-round  SAFER  K-64  that,  while  not  of  practical  concern  for  encryption  (with  245  chosen 
plaintexts,  it  finds  8 bits  of  the  key),  permitted  collisions  when  using  the  cipher  for  hashing. 
This  and  a subsequent  certificational  attack  on  SAFER  K-64  by  S.  Murphy  (to  be  published) 
lead  Massey  (“Strengthened  key  schedule  for  the  cipher  SAFER”,  posted  to  the  USENET 
newsgroup  sci. crypt,  September  9 1995)  to  advise  adoption  of  the  new  key  schedule,  with 
the  resulting  algorithm  distinguished  as  SAFER  SK-64  with  8 rounds  recommended  (min- 
imum 6,  maximum  10);  an  analogous  change  to  the  128-bit  key  schedule  yields  SAFER 
SK-128  for  which  10  rounds  remain  recommended  (maximum  12).  A new  variant  of  DC 
by  Knudsen  and  Berson  [687]  using  truncated  differentials  (building  on  Knudsen  [686]) 
yields  a certificational  attack  on  5-round  SAFER  K-64  with  245  chosen  plaintexts;  the  at- 
tack, which  does  not  extend  to  6 rounds,  indicates  that  security  is  less  than  argued  by  Massey 
[788],  who  also  notes  that  preliminary  attempts  at  linear  cryptanalysis  of  SAFER  were  un- 
successful. 

RC5  was  designed  by  Rivest  [1056],  and  published  along  with  a reference  implementation. 
The  magic  constants  of  Table  7. 14  are  based  on  the  golden  ratio  and  the  base  of  natural  log- 
arithms. The  data-dependent  rotations  (which  vary  across  rounds)  distinguish  RC5  from 
iterated  ciphers  which  have  identical  operations  each  round;  Madryga  [779]  proposed  an 
earlier  (less  elegant)  cipher  involving  data-dependent  rotations.  A preliminary  examination 
by  Kaliski  and  Yin  [656]  suggested  that,  while  variations  remain  to  be  explored,  standard 
linear  and  differential  cryptanalysis  appear  impractical  for  RC5-32  (64-bit  blocksize)  for 
r = 12;  their  differential  attacks  on  9 and  12  round  RC5  require,  respectively,  245,  262 
chosen-plaintext  pairs,  while  their  linear  attacks  on  4,  5,  and  6-round  RC5-32  require,  re- 
spectively, 237,  247,  25'  known  plaintexts.  Both  attacks  depend  on  the  number  of  rounds 
and  the  blocksize,  but  not  the  byte-length  of  the  input  key  (since  subkeys  are  recovered  di- 
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rectly).  Knudsen  and  Meier  [689]  subsequently  presented  differential  attacks  on  RC5  which 
improved  on  those  of  Kaliski  and  Yin  by  a factor  up  to  512,  and  showed  that  RC5  has  so- 
called  weak  keys  (independent  of  the  key  schedule)  for  which  these  differential  attacks  per- 
form even  better. 

LOKI  was  introduced  by  Brown,  Pieprzyk,  and  Seberry  [215]  and  renamed  LOKI’89  after 
the  discovery  of  weaknesses  lead  to  the  introduction  of  LOKI’91  by  Brown  et  al.  [214]. 
Knudsen  [682]  noted  each  LOKI’ 89  key  fell  into  a class  of  16  equivalent  keys,  and  the 
differential  cryptanalysis  of  Biham  and  Shamir  [137]  was  shown  to  be  effective  against 
reduced-round  versions.  LOKI’ 91  failed  to  succumb  to  differential  analysis  by  Knudsen 
[683];  Tokita  et  al.  [1193]  later  confirmed  the  optimality  of  Knudsen’s  characteristics,  sug- 
gesting that  LOKI’ 89  and  LOKI’ 91  were  resistant  to  both  ordinary  linear  and  differential 
cryptanalysis.  However,  neither  should  be  used  for  hashing  as  originally  proposed  (see 
Knudsen  [682])  or  in  other  modes  (see  Preneel  [1003]).  Moreover,  both  are  susceptible 
to  related-key  attacks  (Note  7.6),  popularized  by  Biham  [128,  129];  but  see  also  the  ear- 
lier ideas  of  Knudsen  [683].  Distinct  from  these  are  key  clustering  attacks  (see  Diffie  and 
Heilman  [347,  p.410]),  wherein  a cryptanalyst  first  finds  a key  “close”  to  the  correct  key, 
and  then  searches  a cluster  of  “nearby”  keys  to  find  the  correct  one. 

8 x 32  bit  S-boxes  first  appeared  in  the  Snefru  hash  function  of  Merkle  [854];  here  such 
fixed  S-boxes  created  from  random  numbers  were  used  in  its  internal  encryption  mapping. 
Regarding  large  S-boxes,  see  also  Gordon  and  Retkin  [517],  Adams  and  Tavares  [7],  and 
Biham  [132].  Merkle  [856]  again  used  8 x 32  S-boxes  in  Khufu  and  Khafre  (see  also 
§15.2.3(viii)).  In  this  1990  paper,  Merkle  gives  a chosen-plaintext  differential  attack  de- 
feating 8 rounds  of  Khufu  (with  secret  S-box).  Regarding  16-round  Khafre,  a DC  attack  by 
Biham  and  Shamir  [138,  137]  requires  somewhat  over  1500  chosen  plaintexts  and  one  hour 
on  a personal  computer,  and  their  known-plaintext  differential  attack  requires  237  5 plain- 
texts; for  24-round  Khafre,  they  require  253  chosen  plaintexts  or  258,5  known  plaintexts. 
Khufu  with  16  rounds  was  examined  by  Gilbert  and  Chauvaud  [456],  who  gave  an  attack 
using  243  chosen  plaintexts  and  about  243  operations. 

CAST  is  a design  procedure  for  a family  of  DES-like  ciphers,  featuring  fixed  m x n bit 
S-boxes  (to  < n)  based  on  bent  functions.  Adams  and  Tavares  [7]  examine  the  construc- 
tion of  large  S-boxes  resistant  to  differential  cryptanalysis,  and  give  a partial  example  (with 
64-bit  blocklength  and  8 x 32  bit  S-boxes)  of  a CAST  cipher.  CAST  ciphers  have  variable 
keysize  and  numbers  of  rounds.  Rijmen  and  Preneel  [1049]  presented  a cryptanalytic  tech- 
nique applicable  to  Feistel  ciphers  with  non-surjective  round  functions  (e.g.,  LOKI’91  and 
an  example  CAST  cipher),  noting  cases  where  6 to  8 rounds  is  insufficient. 

Blowfishis  a 16-round  DES-like  cipher  due  to  Schneier  [1093],  with  64-bit  blocks  and  keys 
of  length  up  to  448  bits.  The  computationally  intensive  key  expansion  phase  creates  eigh- 
teen 32-bit  subkeys  plus  four  8 x 32  bit  S-boxes  derived  from  the  input  key  (cf.  Khafre 
above),  for  a total  of  4168  bytes.  See  Vaudenay  [1216]  for  a preliminary  analysis  of  Blow- 
fish. 

3-WAY  is  a block  cipher  with  96-bit  blocksize  and  keysize,  due  to  Daemen  [289]  and  intro- 
duced by  Daemen,  Govaerts,  and  Vandewalle  [290]  along  with  a reference  C implementa- 
tion and  test  vectors.  It  was  designed  for  speed  in  both  hardware  and  software,  and  to  resist 
differential  and  linear  attacks.  Its  core  is  a 3-bit  nonlinear  S-box  and  a linear  mapping  rep- 
resentable as  polynomial  multiplication  in  Z^2. 

SHARK  is  an  SP-network  block  cipher  due  to  Rijmen  et  al.  [1048]  (coordinates  for  a refer- 
ence implementation  are  given)  which  may  be  viewed  as  a generalization  of  SAFER,  em- 
ploying highly  nonlinear  S-boxes  and  the  idea  of  MDS  codes  (cf.  Note  12.36)  for  diffusion 
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to  allow  a small  number  of  rounds  to  suffice.  The  block  ciphers  BEAR  and  LION  of  An- 
derson and  Biham  [30]  are  3-round  unbalanced  Feistel  networks,  motivated  by  the  earlier 
construction  of  Luby  and  Rackoff  [776]  (see  also  Maurer  [816]  and  Lucks  [777])  which 
provides  a provably  secure  (under  suitable  assumptions)  block  cipher  from  pseudorandom 
functions  using  a 3-round  Feistel  structure.  SHARK,  BEAR,  and  LION  all  remain  to  be 
subjected  to  independent  analysis  in  order  to  substantiate  their  conjectured  security  levels. 

SKIPJACK  is  a classified  block  cipher  whose  specification  is  maintained  by  the  U.S.  Na- 
tional Security  Agency  (NS A).  FIPS  185  [405]  notes  that  its  specification  is  available  to 
organizations  entering  into  a Memorandum  of  Agreement  with  the  NSA,  and  includes  in- 
terface details  (e.g.,  it  has  an  80-bit  secret  key).  A public  report  contains  results  of  a pre- 
liminary security  evaluation  of  this  64-bit  block  cipher  (“SKIPJACK  Review,  Interim  Re- 
port, The  SKIPJACK  Algorithm”,  1993  July  28,  by  E.F.  Brickell,  D.E.  Denning,  S.T.  Kent, 
D.P  Maher,  and  W.  Tuchman).  See  also  Roe  [1064,  p.312]  regarding  curious  results  on  the 
cyclic  closure  tests  on  SKIPJACK,  which  give  evidence  related  to  the  size  of  the  cipher 
keyspace. 

GOST  28 147-89  is  a Soviet  government  encryption  algorithm  with  a 32-round  Feistel  struc- 
ture and  unspecified  S-boxes;  see  Charnes  et  al.  [241]. 

RC2  is  a block  cipher  proprietary  to  RSA  Data  Security  Inc.  (as  is  the  stream  cipher  RC4). 
WAKE  is  a block  cipher  due  to  Wheeler  [1237]  employing  a key-dependent  table,  intended 
for  fast  encryption  of  bulk  data  on  processors  with  32-bit  words.  TEA  (Tiny  Encryption 
Algorithm)  is  a block  cipher  proposed  by  Wheeler  and  Needham  [1238]. 
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8.1  Introduction 

This  chapter  considers  various  techniques  for  public-key  encryption,  also  referred  to  as 
asymmetric  encryption.  As  introduced  previously  (§1.8.1),  in  public-key  encryption  sys- 
tems each  entity  A has  a public  key  e and  a corresponding  private  key  d.  In  secure  systems, 
the  task  of  computing  d given  e is  computationally  infeasible.  The  public  key  defines  an  en- 
cryption transformation  Ee,  while  the  private  key  defines  the  associated  decryption  trans- 
formation Dd-  Any  entity  B wishing  to  send  a message  to  to  A obtains  an  authentic  copy 
of  A’s  public  key  e,  uses  the  encryption  transformation  to  obtain  the  ciphertext  c = Ee  (to), 
and  transmits  c to  A.  To  decrypt  c,  A applies  the  decryption  transformation  to  obtain  the 
original  message  to  = Dd{c). 

The  public  key  need  not  be  kept  secret,  and,  in  fact,  may  be  widely  available  - only  its 
authenticity  is  required  to  guarantee  that  A is  indeed  the  only  party  who  knows  the  corre- 
sponding private  key.  A primary  advantage  of  such  systems  is  that  providing  authentic  pub- 
lic keys  is  generally  easier  than  distributing  secret  keys  securely,  as  required  in  symmetric- 
key  systems. 

The  main  objective  of  public-key  encryption  is  to  provide  privacy  or  confidentiality . 
Since  A’s  encryption  transformation  is  public  knowledge,  public-key  encryption  alone  does 
not  provide  data  origin  authentication  (Definition  9.76)  or  data  integrity  (Definition  9.75). 
Such  assurances  must  be  provided  through  use  of  additional  techniques  (see  §9.6),  including 
message  authentication  codes  and  digital  signatures. 

Public-key  encryption  schemes  are  typically  substantially  slower  than  symmetric-key 
encryption  algorithms  such  as  DES  (§7.4).  For  this  reason,  public-key  encryption  is  most 
commonly  used  in  practice  for  the  transport  of  keys  subsequently  used  for  bulk  data  en- 
cryption by  symmetric  algorithms  and  other  applications  including  data  integrity  and  au- 
thentication, and  for  encrypting  small  data  items  such  as  credit  card  numbers  and  PINs. 
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Public-key  decryption  may  also  provide  authentication  guarantees  in  entity  authentication 
and  authenticated  key  establishment  protocols. 


Chapter  outline 

The  remainder  of  the  chapter  is  organized  as  follows.  §8.1.1  provides  introductory  material. 
The  RS  A public-key  encryption  scheme  is  presented  in  §8.2;  related  security  and  implemen- 
tation issues  are  also  discussed.  Rabin's  public-key  encryption  scheme,  which  is  provably 
as  secure  as  factoring,  is  the  topic  of  §8.3.  §8.4  considers  the  ElGamal  encryption  scheme; 
related  security  and  implementation  issues  are  also  discussed.  The  McEliece  public-key 
encryption  scheme,  based  on  error-correcting  codes,  is  examined  in  §8.5.  Although  known 
to  be  insecure,  the  Merkle-Hellman  knapsack  public-key  encryption  scheme  is  presented  in 
§8.6  for  historical  reasons  - it  was  the  first  concrete  realization  of  a public-key  encryption 
scheme.  Chor-Rivest  encryption  is  also  presented  (§8.6.2)  as  an  example  of  an  as-yet  un- 
broken public-key  encryption  scheme  based  on  the  subset  sum  (knapsack)  problem.  §8.7 
introduces  the  notion  of  probabilistic  public-key  encryption,  designed  to  meet  especially 
stringent  security  requirements.  §8.8  concludes  with  Chapter  notes  and  references. 

The  number-theoretic  computational  problems  which  form  the  security  basis  for  the 
public -key  encryption  schemes  discussed  in  this  chapter  are  listed  in  Table  8.1. 


public-key  encryption  scheme 

computational  problem 

RSA 

integer  factorization  problem  (§3.2) 
RSA  problem  (§3.3) 

Rabin 

integer  factorization  problem  (§3.2) 
square  roots  modulo  composite  n (§3.5.2) 

ElGamal 

discrete  logarithm  problem  (§3.6) 
Diffie-Hellman  problem  (§3.7) 

generalized  ElGamal 

generalized  discrete  logarithm  problem  (§3.6) 
generalized  Diffie-Hellman  problem  (§3.7) 

McEliece 

linear  code  decoding  problem 

Merkle-Hellman  knapsack 

subset  sum  problem  (§3.10) 

Chor-Rivest  knapsack 

subset  sum  problem  (§3.10) 

Goldwasser-Micali  probabilistic 

quadratic  residuosity  problem  (§3.4) 

Blum-Goldwasser  probabilistic 

integer  factorization  problem  (§3.2) 
Rabin  problem  (§3.9.3) 

Table  8.1 : Public-key  encryption  schemes  discussed  in  this  chapter,  and  the  related  computational 
problems  upon  which  their  security  is  based. 


8.1.1  Basic  principles 

Objectives  of  adversary 

The  primary  objective  of  an  adversary  who  wishes  to  “attack”  a public-key  encryption  sch- 
eme is  to  systematically  recover  plaintext  from  ciphertext  intended  for  some  other  entity  A. 
If  this  is  achieved,  the  encryption  scheme  is  informally  said  to  have  been  broken.  A more 
ambitious  objective  is  key  recovery  - to  recover  A's  private  key.  If  this  is  achieved,  the  en- 
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cryption  scheme  is  informally  said  to  have  been  completely  broken  since  the  adversary  then 
has  the  ability  to  decrypt  all  ciphertext  sent  to  A. 

Types  of  attacks 

Since  the  encryption  transformations  are  public  knowledge,  a passive  adversary  can  al- 
ways mount  a chosen-plaintext  attack  on  a public-key  encryption  scheme  (cf.  §1.13.1).  A 
stronger  attack  is  a chosen-ciphertext  attack  where  an  adversary  selects  ciphertext  of  its 
choice,  and  then  obtains  by  some  means  (from  the  victim  A)  the  corresponding  plaintext 
(cf.  §1.13.1).  Two  kinds  of  these  attacks  are  usually  distinguished. 

1 . In  an  indifferent  chosen-ciphertext  attack,  the  adversary  is  provided  with  decryptions 
of  any  ciphertexts  of  its  choice,  but  these  ciphertexts  must  be  chosen  prior  to  receiving 
the  (target)  ciphertext  c it  actually  wishes  to  decrypt. 

2.  In  an  adaptive  chosen-ciphertext  attack,  the  adversary  may  use  (or  have  access  to)  A's 
decryption  machine  (but  not  the  private  key  itself)  even  after  seeing  the  target  cipher- 
text  c.  The  adversary  may  request  decryptions  of  ciphertext  which  may  be  related  to 
both  the  target  ciphertext,  and  to  the  decryptions  obtained  from  previous  queries;  a 
restriction  is  that  it  may  not  request  the  decryption  of  the  target  c itself. 

Chosen-ciphertext  attacks  are  of  concern  if  the  environment  in  which  the  public-key  en- 
cryption scheme  is  to  be  used  is  subject  to  such  an  attack  being  mounted;  if  not,  the  exis- 
tence of  a chosen-ciphertext  attack  is  typically  viewed  as  a certificational  weakness  against 
a particular  scheme,  although  apparently  not  directly  exploitable. 

Distributing  public  keys 

The  public-key  encryption  schemes  described  in  this  chapter  assume  that  there  is  a means 
for  the  sender  of  a message  to  obtain  an  authentic  copy  of  the  intended  receiver’s  public 
key.  In  the  absence  of  such  a means,  the  encryption  scheme  is  susceptible  to  an  imperson- 
ation attack,  as  outlined  in  § 1 .8.2.  There  are  many  techniques  in  practice  by  which  authentic 
public  keys  can  be  distributed,  including  exchanging  keys  over  a trusted  channel,  using  a 
trusted  public  file,  using  an  on-line  trusted  server,  and  using  an  off-line  server  and  certifi- 
cates. These  and  related  methods  are  discussed  in  §13.4. 

Message  blocking 

Some  of  the  public-key  encryption  schemes  described  in  this  chapter  assume  that  the  mes- 
sage to  be  encrypted  is,  at  most,  some  fixed  size  (bitlength).  Plaintext  messages  longer 
than  this  maximum  must  be  broken  into  blocks,  each  of  the  appropriate  size.  Specific  tech- 
niques for  breaking  up  a message  into  blocks  are  not  discussed  in  this  book.  The  compo- 
nent blocks  can  then  be  encrypted  independently  (cf.  ECB  mode  in  §7.2.2(i)).  To  provide 
protection  against  manipulation  (e.g.,  re-ordering)  of  the  blocks,  the  Cipher  Block  Chaining 
(CBC)  mode  maybe  used  (cf.  §7. 2.2(h)  and  Example  9.84).  Since  the  CFB  and  OFB  modes 
(cf.  §7.2.2(iii)  and  §7.2.2(iv))  employ  only  single-block  encryption  (and  not  decryption)  for 
both  message  encryption  and  decryption,  they  cannot  be  used  with  public-key  encryption 
schemes. 


8.2  RSA  public-key  encryption 

The  RSA  cryptosystem,  named  after  its  inventors  R.  Rivest,  A.  Shamir,  and  L.  Adleman,  is 
the  most  widely  used  public -key  cryptosystem.  It  may  be  used  to  provide  both  secrecy  and 
digital  signatures  and  its  security  is  based  on  the  intractability  of  the  integer  factorization 
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problem  (§3.2).  This  section  describes  the  RSA  encryption  scheme,  its  security,  and  some 
implementation  issues;  the  RSA  signature  scheme  is  covered  in  §11.3.1. 


8.2.1  Description 

8.1  Algorithm  Key  generation  for  RSA  public-key  encryption 

SUMMARY:  each  entity  creates  an  RSA  public  key  and  a corresponding  private  key. 

Each  entity  A should  do  the  following: 

1 . Generate  two  large  random  (and  distinct)  primes  p and  q,  each  roughly  the  same  size. 

2.  Compute  n = pq  and  <fi  = (p  — l)(q  — 1).  (See  Note  8.5.) 

3.  Select  a random  integer  e,  1 < e < <f>,  such  that  gcd(e,  <p)  = 1. 

4.  Use  the  extended  Euclidean  algorithm  (Algorithm  2.107)  to  compute  the  unique  in- 
teger d,  1 < d < <fi,  such  that  ed  = 1 (mod  f). 

5.  A’s  public  key  is  (n,  e);  A’s  private  key  is  d. 


8.2  Definition  The  integers  e and  d in  RSA  key  generation  are  called  the  encryption  exponent 
and  the  decryption  exponent,  respectively,  while  n is  called  the  modulus. 

8.3  Algorithm  RSA  public-key  encryption 

SUMMARY:  B encrypts  a message  to  for  A,  which  A decrypts. 

1.  Encryption.  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  (n,  e). 

(b)  Represent  the  message  as  an  integer  to  in  the  interval  [0,  n — 1], 

(c)  Compute  c = me  mod  n (e.g.,  using  Algorithm  2.143). 

(d)  Send  the  ciphertext  c to  A. 

2.  Decryption.  To  recover  plaintext  to  from  c,  A should  do  the  following: 

(a)  Use  the  private  key  d to  recover  m = cd  mod  n. 


Proof  that  decryption  works.  Since  ed  = 1 (mod  f),  there  exists  an  integer  k such  that 
ed  = 1 + k<p.  Now,  if  gcd(m,p)  = 1 then  by  Fermat’s  theorem  (Fact  2.127), 

m?-1  = 1 (mod  p). 

Raising  both  sides  of  this  congruence  to  the  power  k(q  — 1)  and  then  multiplying  both  sides 
by  to  yields 

ml+k(P-l)(q-l)  = m (mod 

On  the  other  hand,  if  gcd(m,,  p)  = p,  then  this  last  congruence  is  again  valid  since  each  side 
is  congruent  to  0 modulo  p.  Hence,  in  all  cases 

med  = to  (mod  p). 


By  the  same  argument. 


med  = to  (mod  q). 
Finally,  since  p and  q are  distinct  primes,  it  follows  that 

med  = to  (mod  n), 
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and,  hence, 

cd  = ( me)d  ' m (mod  n). 

8.4  Example  ( RSA  encryption  with  artificially  small  parameters) 

Key  generation.  Entity  A chooses  the  primes  p = 2357,  q = 2551,  and  computes  n — 
pq  = 6012707  and  <f  = (p—  l)(q  — 1)  = 6007800.  A chooses  e = 3674911  and,  using  the 
extended  Euclidean  algorithm,  finds  d = 422191  such  that  ed  = 1 (mod  <jf).  A’s  public 
key  is  the  pair  ( n = 6012707,  e = 3674911),  while  A’s  private  key  is  d = 422191. 
Encryption.  To  encrypt  a message  m = 5234673,  B uses  an  algorithm  for  modular  expo- 
nentiation (e.g..  Algorithm  2.143)  to  compute 

c = me  mod  n = 52346733674911  mod  6012707  = 3650502, 

and  sends  this  to  A. 

Decryption.  To  decrypt  c,  A computes 

cd  mod  n = 36  5 0 5 02422191  mod  6012707  = 5234673.  □ 

8.5  Note  ( universal  exponent ) The  number  A = lcm (p  l.q  1),  sometimes  called  the  uni- 
versal exponent  of  n , may  be  used  instead  of  <fi  = (p  — l)(q  — 1)  in  RSA  key  generation 
(Algorithm  8.1).  Observe  that  A is  a proper  divisor  of  o.  Using  A can  result  in  a smaller 
decryption  exponent  d , which  may  result  in  faster  decryption  (cf.  Note  8.9).  However,  if  p 
and  q are  chosen  at  random,  then  gcd(p  — 1 , q — 1 ) is  expected  to  be  small,  and  consequently 
<f  and  A will  be  roughly  of  the  same  size. 


8.2.2  Security  of  RSA 

This  subsection  discusses  various  security  issues  related  to  RSA  encryption.  Various  attacks 
which  have  been  studied  in  the  literature  are  presented,  as  well  as  appropriate  measures  to 
counteract  these  threats. 

(i)  Relation  to  factoring 

The  task  faced  by  a passive  adversary  is  that  of  recovering  plaintext  m from  the  correspond- 
ing ciphertext  c,  given  the  public  information  (n.  e)  of  the  intended  receiver  A.  This  is 
called  the  RSA  problem  (RSAP),  which  was  introduced  in  §3.3.  There  is  no  efficient  algo- 
rithm known  for  this  problem. 

One  possible  approach  which  an  adversary  could  employ  to  solving  the  RSA  problem 
is  to  first  factor  n,  and  then  compute  <p  and  d just  as  A did  in  Algorithm  8.1.  Once  d is 
obtained,  the  adversary  can  decrypt  any  ciphertext  intended  for  A. 

On  the  other  hand,  if  an  adversary  could  somehow  compute  d , then  it  could  subse- 
quently factor  n efficiently  as  follows.  First  note  that  since  ed  s 1 (mod  <f>),  there  is  an 
integer  k such  that  ed  — 1 = k<f>.  Hence,  by  Fact  2.126(i),  aed_1  = 1 (mod  n ) for  all 
a C Z* . Let  cd  1 — 2 st,  where  t is  an  odd  integer.  Then  it  can  be  shown  that  there 
exists  an  i € [1,  .s]  such  that  a2'  4 ^ ±1  (mod  n)  and  a2' 4 = 1 (mod  n)  for  at  least  half 

of  all  a E Z* ; if  a and  i are  such  integers  then  gcd(o2’  4 — 1,  n)  is  a non-trivial  factor 
of  n.  Thus  the  adversary  simply  needs  to  repeatedly  select  random  a G Z*  and  check  if 
an  i e [1,  s]  satisfying  the  above  property  exists;  the  expected  number  of  trials  before  a 
non-trivial  factor  of  n is  obtained  is  2.  This  discussion  establishes  the  following. 

8.6  Fact  The  problem  of  computing  the  RSA  decryption  exponent  d from  the  public  key  (n,  e), 
and  the  problem  of  factoring  n,  are  computationally  equivalent. 
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When  generating  RSA  keys,  it  is  imperative  that  the  primes  p and  q be  selected  in  such  a 
way  that  factoring  n = pq  is  computationally  infeasible;  see  Note  8.8  for  more  details. 

(ii)  Small  encryption  exponent  e 

In  order  to  improve  the  efficiency  of  encryption,  it  is  desirable  to  select  a small  encryption 
exponent  e (see  Note  8.9)  such  as  e = 3.  A group  of  entities  may  all  have  the  same  encryp- 
tion exponent  e,  however,  each  entity  in  the  group  must  have  its  own  distinct  modulus  (cf. 
§8.2.2(vi)).  If  an  entity  A wishes  to  send  the  same  message  m to  three  entities  whose  pub- 
lic moduli  are  n\,  n2,  713,  and  whose  encryption  exponents  are  e = 3,  then  A would  send 
Cj  = to3  mod  n,,  for  i = 1, 2, 3.  Since  these  moduli  are  most  likely  pairwise  relatively 
prime,  an  eavesdropper  observing  c\,  C2,  C3  can  use  Gauss’s  algorithm  (Algorithm  2.121) 
to  find  a solution  x,  0 < x < n\n2n3,  to  the  three  congruences 

{x  = ci  (mod  ni) 

x = C2  (mod  n2) 

x = c3  (mod  n3). 

Since  m3  < n\n2n3,  by  the  Chinese  remainder  theorem  (Fact  2.120),  it  must  be  the  case 
that  x = to3  . Hence,  by  computing  the  integer  cube  root  of  x,  the  eavesdropper  can  recover 
the  plaintext  m. 

Thus  a small  encryption  exponent  such  as  e = 3 should  not  be  used  if  the  same  mes- 
sage, or  even  the  same  message  with  known  variations,  is  sent  to  many  entities.  Alter- 
natively, to  prevent  against  such  an  attack,  a pseudorandomly  generated  bitstring  of  ap- 
propriate length  (taking  into  account  Coppersmith’s  attacks  mentioned  on  pages  313-314) 
should  be  appended  to  the  plaintext  message  prior  to  encryption;  the  pseudorandom  bit- 
string should  be  independently  generated  for  each  encryption.  This  process  is  sometimes 
referred  to  as  salting  the  message. 

Small  encryption  exponents  are  also  a problem  for  small  messages  m,  because  if  m < 
n1//e,  then  m can  be  recovered  from  the  ciphertext  c = me  mod  n simply  by  computing 
the  integer  eth  root  of  c;  salting  plaintext  messages  also  circumvents  this  problem. 

(iii)  Forward  search  attack 

If  the  message  space  is  small  or  predictable,  an  adversary  can  decrypt  a ciphertext  c by  sim- 
ply encrypting  all  possible  plaintext  messages  until  c is  obtained.  Salting  the  message  as 
described  above  is  one  simple  method  of  preventing  such  an  attack. 

(iv)  Small  decryption  exponent  d 

As  was  the  case  with  the  encryption  exponent  e,  it  may  seem  desirable  to  select  a small  de- 
cryption exponent  d in  order  to  improve  the  efficiency  of  decryption. 1 However,  if  gcd(p  — 
1,  q — 1)  is  small,  as  is  typically  the  case,  and  if  d has  up  to  approximately  one-quarter  as 
many  bits  as  the  modulus  n,  then  there  is  an  efficient  algorithm  (referenced  on  page  313) 
for  computing  d from  the  public  information  in.  e).  This  algorithm  cannot  be  extended  to 
the  case  where  d is  approximately  the  same  size  as  n.  Hence,  to  avoid  this  attack,  the  de- 
cryption exponent  d should  be  roughly  the  same  size  as  n. 

(v)  Multiplicative  properties 

Let  mi  and  m2  be  two  plaintext  messages,  and  let  ci  and  c->  be  their  respective  RSA  en- 
cryptions. Observe  that 

{mim2)e  = m\m2  = C1C2  (mod  n). 

1 In  this  case,  one  would  select  d first  and  then  compute  e in  Algorithm  8.1,  rather  than  vice-versa. 
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In  other  words,  the  ciphertext  corresponding  to  the  plaintext  m — m\rri2  mod  n is  c — 
C1C2  mod  n\  this  is  sometimes  referred  to  as  the  homomorphic  property  of  RSA.  This  ob- 
servation leads  to  the  following  adaptive  chosen-ciphertext  attack  on  RSA  encryption. 

Suppose  that  an  active  adversary  wishes  to  decrypt  a particular  ciphertext  c = me  mod 
n intended  for  A.  Suppose  also  that  A will  decrypt  arbitrary  ciphertext  for  the  adversary, 
other  than  c itself.  The  adversary  can  conceal  c by  selecting  a random  integer  x £ Z* 
and  computing  c = ex'  mod  n.  Upon  presentation  of  c,  A will  compute  for  the  adversary 
to  = (c)d  mod  n.  Since 

to  = (c)d  = cd(xe)d  = mx  (mod  n), 

the  adversary  can  then  compute  to  = mx mod  n. 

This  adaptive  chosen-ciphertext  attack  should  be  circumvented  in  practice  by  imposing 
some  structural  constraints  on  plaintext  messages.  If  a ciphertext  c is  decrypted  to  a message 
not  possessing  this  structure,  then  c is  rejected  by  the  decryptor  as  being  fraudulent.  Now, 
if  a plaintext  message  to  has  this  (carefully  chosen)  structure,  then  with  high  probability 
mx  mod  n will  not  for  x £ Z* . Thus  the  adaptive  chosen-ciphertext  attack  described  in 
the  previous  paragraph  will  fail  because  A will  not  decrypt  c for  the  adversary.  Note  8.63 
provides  a powerful  technique  for  guarding  against  adaptive  chosen-ciphertext  and  other 
kinds  of  attacks. 

(vi)  Common  modulus  attack 

The  following  discussion  demonstrates  why  it  is  imperative  for  each  entity  to  choose  its 
own  RSA  modulus  n. 

It  is  sometimes  suggested  that  a central  trusted  authority  should  select  a single  RSA 
modulus  n , and  then  distribute  a distinct  encryption/decryption  exponent  pair  (et.  dt ) to 
each  entity  in  a network.  However,  as  shown  in  (i)  above,  knowledge  of  any  (e,.  d, ) pair  al- 
lows for  the  factorization  of  the  modulus  n,  and  hence  any  entity  could  subsequently  deter- 
mine the  decryption  exponents  of  all  other  entities  in  the  network.  Also,  if  a single  message 
were  encrypted  and  sent  to  two  or  more  entities  in  the  network,  then  there  is  a technique  by 
which  an  eavesdropper  ( any  entity  not  in  the  network)  could  recover  the  message  with  high 
probability  using  only  publicly  available  information. 

(vii)  Cycling  attacks 

Let  c = me  mod  n be  a ciphertext.  Let  A;  be  a positive  integer  such  that  ce&  = c (mod  n); 
since  encryption  is  a permutation  on  the  message  space  {0,1,...  , n 1 } such  an  integer 
k must  exist.  For  the  same  reason  it  must  be  the  case  that  ce  = to  (mod  n).  This  ob- 
servation leads  to  the  following  cycling  attack  on  RSA  encryption.  An  adversary  computes 
ce  mod  n,  ce  mod  n,  ce  mod  n, . . . until  c is  obtained  for  the  first  time.  If  ce  mod  n = 
c,  then  the  previous  number  in  the  cycle,  namely  ce  mod  n,  is  equal  to  the  plaintext  to. 

A generalized  cycling  attack  is  to  find  the  smallest  positive  integer  u such  that  / = 
gcd(ce"  — c,  n)  > 1.  If 

ce  =c  (mod  p)  and  ce  (mod  5)  (8.1) 

then  f = p.  Similarly,  if 

ce  c (mod  p)  and  ce  = c (mod  q)  (8.2) 

then  / = q.  In  either  case,  n has  been  factored,  and  the  adversary  can  recover  d and  then 
to.  On  the  other  hand,  if  both 

ce  =c  (mod  p)  and  ce  =c  (mod  g),  (8.3) 
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then  f = n and  c(:'"  = c (mod  n).  In  fact,  u must  be  the  smallest  positive  integer  k 
for  which  ce  = c (mod  n).  In  this  case,  the  basic  cycling  attack  has  succeeded  and  so 
m = c£U  1 mod  n can  be  computed  efficiently.  Since  (8.3)  is  expected  to  occur  much  less 
frequently  than  (8.1)  or  (8.2),  the  generalized  cycling  attack  usually  terminates  before  the 
cycling  attack  does.  For  this  reason,  the  generalized  cycling  attack  can  be  viewed  as  being 
essentially  an  algorithm  for  factoring  n. 

Since  factoring  n is  assumed  to  be  intractable,  these  cycling  attacks  do  not  pose  a threat 
to  the  security  of  RSA  encryption. 

(viii)  Message  concealing 

A plaintext  message  m,  0 < m < n — 1,  in  the  RSA  public-key  encryption  scheme  is  said 
to  be  unconcealed  if  it  encrypts  to  itself;  that  is,  me  = m (mod  n).  There  are  always  some 
messages  which  are  unconcealed  (for  example  m = 0,  m = 1,  and  m = n — 1).  In  fact, 
the  number  of  unconcealed  messages  is  exactly 

[1  + gcd(e  - 1 ,p  - 1)]  • [1  + gcd(e  1 ,q-  1)]. 

Since  e — 1,  p — 1 and  q 1 are  all  even,  the  number  of  unconcealed  messages  is  always  at 
least  9.  If  p and  q are  random  primes,  and  if  e is  chosen  at  random  (or  if  e is  chosen  to  be 
a small  number  such  as  e = 3 or  e = 216  + 1 = 65537),  then  the  proportion  of  messages 
which  are  unconcealed  by  RSA  encryption  will,  in  general,  be  negligibly  small,  and  hence 
unconcealed  messages  do  not  pose  a threat  to  the  security  of  RSA  encryption  in  practice. 


8.2.3  RSA  encryption  in  practice 

There  are  numerous  ways  of  speeding  up  RSA  encryption  and  decryption  in  software  and 
hardware  implementations.  Some  of  these  techniques  are  covered  in  Chapter  14,  includ- 
ing fast  modular  multiplication  (§14.3),  fast  modular  exponentiation  (§14.6),  and  the  use 
of  the  Chinese  remainder  theorem  for  faster  decryption  (Note  14.75).  Even  with  these  im- 
provements, RSA  encryption/decryption  is  substantially  slower  than  the  commonly  used 
symmetric-key  encryption  algorithms  such  as  DES  (Chapter  7).  In  practice,  RSA  encryp- 
tion is  most  commonly  used  for  the  transport  of  symmetric-key  encryption  algorithm  keys 
and  for  the  encryption  of  small  data  items. 

The  RSA  cryptosystem  has  been  patented  in  the  U.S.  and  Canada.  Several  standards 
organizations  have  written,  or  are  in  the  process  of  writing,  standards  that  address  the  use 
of  the  RSA  cryptosystem  for  encryption,  digital  signatures,  and  key  establishment.  For  dis- 
cussion of  patent  and  standards  issues  related  to  RSA,  see  Chapter  15. 

8.7  Note  ( recommended  size  of  modulus)  Given  the  latest  progress  in  algorithms  for  factoring 
integers  (§3.2),  a 512-bit  modulus  n provides  only  marginal  security  from  concerted  attack. 
As  of  1996,  in  order  to  foil  the  powerful  quadratic  sieve  (§3.2.6)  and  number  field  sieve 
(§3.2.7)  factoring  algorithms,  a modulus  n of  at  least  768  bits  is  recommended.  For  long- 
term security,  1024-bit  or  larger  moduli  should  be  used. 

8.8  Note  (selecting  primes) 

(i)  As  mentioned  in  §8.2.2(i),  the  primes  p and  q should  be  selected  so  that  factoring 
n = pq  is  computationally  infeasible.  The  major  restriction  on  p and  q in  order  to 
avoid  the  elliptic  curve  factoring  algorithm  (§3.2.4)  is  that  p and  q should  be  about 
the  same  bitlength,  and  sufficiently  large.  For  example,  if  a 1024-bit  modulus  n is  to 
be  used,  then  each  of  p and  q should  be  about  512  bits  in  length. 
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(ii)  Another  restriction  on  the  primes  p and  q is  that  the  difference  p — q should  not  be 
too  small.  If  p — q is  small,  then  p m q and  hence  pm  rn.  Thus,  n could  be 
factored  efficiently  simply  by  trial  division  by  all  odd  integers  close  to  rn.  If  p and 
q are  chosen  at  random,  then  p — q will  be  appropriately  large  with  overwhelming 
probability. 

(iii)  In  addition  to  these  restrictions,  many  authors  have  recommended  that  p and  q be 
strong  primes.  A prime  p is  said  to  be  a strong  prime  (cf.  Definition  4.52)  if  the  fol- 
lowing three  conditions  are  satisfied: 

(a)  p — 1 has  a large  prime  factor,  denoted  r; 

(b)  p + 1 has  a large  prime  factor;  and 

(c)  r — 1 has  a large  prime  factor. 

An  algorithm  for  generating  strong  primes  is  presented  in  §4.4.2.  The  reason  for  con- 
dition (a)  is  to  foil  Pollard's  p—  1 factoring  algorithm  (§3.2.3)  which  is  efficient  only 
if  n has  a prime  factor  p such  that  p — 1 is  smooth.  Condition  (b)  foils  the  p + 1 
factoring  algorithm  mentioned  on  page  125  in  §3.12,  which  is  efficient  only  if  n has 
a prime  factor  p such  that  p + 1 is  smooth.  Finally,  condition  (c)  ensures  that  the 
cycling  attacks  described  in  §8.2.2(vii)  will  fail. 

If  the  prime  p is  randomly  chosen  and  is  sufficiently  large,  then  both  p — 1 and  p + 1 
can  be  expected  to  have  large  prime  factors.  In  any  case,  while  strong  primes  protect 
against  the  p — 1 and  p+ 1 factoring  algorithms,  they  do  not  protect  against  their  gen- 
eralization, the  elliptic  curve  factoring  algorithm  (§3.2.4).  The  latter  is  successful  in 
factoring  n if  a randomly  chosen  number  of  the  same  size  as  p (more  precisely,  this 
number  is  the  order  of  a randomly  selected  elliptic  curve  defined  over  Zp)  has  only 
small  prime  factors.  Additionally,  it  has  been  shown  that  the  chances  of  a cycling  at- 
tack succeeding  are  negligible  if  p and  q are  randomly  chosen  (cf.  §8.2.2(vii)).  Thus, 
strong  primes  offer  little  protection  beyond  that  offered  by  random  primes.  Given  the 
current  state  of  knowledge  of  factoring  algorithms,  there  is  no  compelling  reason  for 
requiring  the  use  of  strong  primes  in  RSA  key  generation.  On  the  other  hand,  they 
are  no  less  secure  than  random  primes,  and  require  only  minimal  additional  running 
time  to  compute;  thus  there  is  little  real  additional  cost  in  using  them. 

8.9  Note  ( small  encryption  exponents ) 

(i)  If  the  encryption  exponent  e is  chosen  at  random,  then  RSA  encryption  using  the  re- 
peated square-and-multiply  algorithm  (Algorithm  2.143)  takes  k modular  squarings 
and  an  expected  k/2  (less  with  optimizations)  modular  multiplications,  where  k is 
the  bitlength  of  the  modulus  n.  Encryption  can  be  sped  up  by  selecting  e to  be  small 
and/or  by  selecting  e with  a small  number  of  l’s  in  its  binary  representation. 

(ii)  The  encryption  exponent  e = 3 is  commonly  used  in  practice;  in  this  case,  it  is  nec- 
essary that  neither  p — 1 nor  q 1 be  divisible  by  3.  This  results  in  a very  fast  encryp- 
tion operation  since  encryption  only  requires  1 modular  multiplication  and  1 modular 
squaring.  Another  encryption  exponent  used  in  practice  is  e = 216  + 1 = 65537. 
This  number  has  only  two  l’s  in  its  binary  representation,  and  so  encryption  using 
the  repeated  square-and-multiply  algorithm  requires  only  16  modular  squarings  and 
1 modular  multiplication.  The  encryption  exponent  e = 216  + 1 has  the  advantage 
over  e = 3 in  that  it  resists  the  kind  of  attack  discussed  in  §8.2.2(ii),  since  it  is  un- 
likely the  same  message  will  be  sent  to  216  + 1 recipients.  But  see  also  Coppersmith's 
attacks  mentioned  on  pages  313-314. 
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8.3  Rabin  public-key  encryption 

A desirable  property  of  any  encryption  scheme  is  a proof  that  breaking  it  is  as  difficult  as 
solving  a computational  problem  that  is  widely  believed  to  be  difficult,  such  as  integer  fac- 
torization or  the  discrete  logarithm  problem.  While  it  is  widely  believed  that  breaking  the 
RSA  encryption  scheme  is  as  difficult  as  factoring  the  modulus  n,  no  such  equivalence  has 
been  proven.  The  Rabin  public-key  encryption  scheme  was  the  first  example  of  a provably 
secure  public-key  encryption  scheme  - the  problem  faced  by  a passive  adversary  of  recov- 
ering plaintext  from  some  given  ciphertext  is  computationally  equivalent  to  factoring. 


8.10  Algorithm  Key  generation  for  Rabin  public-key  encryption 

SUMMARY:  each  entity  creates  a public  key  and  a corresponding  private  key. 

Each  entity  A should  do  the  following: 

1 . Generate  two  large  random  (and  distinct)  primes  p and  q,  each  roughly  the  same  size. 

2.  Compute  n = pq. 

3.  A’s  public  key  is  rv,  A’s  private  key  is  (p,  q). 


8.11  Algorithm  Rabin  public-key  encryption 

SUMMARY:  B encrypts  a message  m for  A,  which  A decrypts. 

1.  Encryption.  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  n. 

(b)  Represent  the  message  as  an  integer  m in  the  range  {0,1,...  ,n  — 1}. 

(c)  Compute  c = m2  mod  n. 

(d)  Send  the  ciphertext  c to  A. 

2.  Decryption.  To  recover  plaintext  m from  c,  A should  do  the  following: 

(a)  Use  Algorithm  3.44  to  find  the  four  square  roots  mi,  m2,  m3,  and  mi  of  c mod- 
ulo n.2  (See  also  Note  8.12.) 

(b)  The  message  sent  was  either  mi,  m2,  m3,  or  m 4.  A somehow  (cf.  Note  8.14) 
decides  which  of  these  is  m. 


8.12  Note  (finding  square  roots  of  c modulo  n = pq  when  p = q = 3 (mod  4))  If  p and  q are 
both  chosen  to  be  = 3 (mod  4),  then  Algorithm  3.44  for  computing  the  four  square  roots 
of  c modulo  n simplifies  as  follows: 

1.  Use  the  extended  Euclidean  algorithm  ( Algorithm  2.107)  to  find  integers  a and  b sat- 
isfying ap  + bq  = 1.  Note  that  a and  b can  be  computed  once  and  for  all  during  the 
key  generation  stage  (Algorithm  8.10). 

2.  Compute  r = c^p+1*/4  mod  p. 

3.  Compute  s = c(q+1)/4  mod  q. 

4.  Compute  x = ( aps  + bqr)  mod  n. 

5.  Compute  y = ( aps  — bqr)  mod  n. 

6.  The  four  square  roots  of  c modulo  n are  x , — x mod  n,  y , and  — y mod  n. 

-In  the  very  unlikely  case  that  gcd(m,  n)  y 1.  the  ciphertext  c does  not  have  four  distinct  square  roots  modulo 
n,  but  rather  only  one  or  two. 
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8.13  Note  (security  of  Rabin  public-key  encryption) 

(i)  The  task  faced  by  a passive  adversary  is  to  recover  plaintext  m from  the  correspond- 
ing ciphertext  c.  This  is  precisely  the  SQROOT  problem  of  §3.5.2.  Recall  (Fact  3.46) 
that  the  problems  of  factoring  n and  computing  square  roots  modulo  n are  computa- 
tionally equivalent.  Hence,  assuming  that  factoring  n is  computationally  intractable, 
the  Rabin  public-key  encryption  scheme  is  provably  secure  against  a passive  adver- 
sary. 

(ii)  While  provably  secure  against  a passive  adversary,  the  Rabin  public-key  encryption 
scheme  succumbs  to  a chosen-ciphertext  attack  (but  see  Note  8.14(h)).  Such  an  at- 
tack can  be  mounted  as  follows.  The  adversary  selects  a random  integer  m G Z*  and 
computes  c = m2  mod  n.  The  adversary  then  presents  c to  A’s  decryption  machine, 
which  decrypts  c and  returns  some  plaintext  y.  Since  A does  not  know  m,  and  m is 
randomly  chosen,  the  plaintext  y is  not  necessarily  the  same  as  m.  With  probability 
i,  y ^ ±m  mod  n,  in  which  case  gcd(m  — y,  n)  is  one  of  the  prime  factors  of  n.  If 
y = ±m  mod  n,  then  the  attack  is  repeated  with  a new  m.3 

(hi)  The  Rabin  public-key  encryption  scheme  is  susceptible  to  attacks  similar  to  those  on 
RSA  described  in  §8. 2.2(h),  §8.2.2(iii),  and  §8.2.2(v).  As  is  the  case  with  RSA,  at- 
tacks (ii)  and  (iii)  can  be  circumvented  by  salting  the  plaintext  message,  while  attack 
(v)  can  be  avoided  by  adding  appropriate  redundancy  prior  to  encryption. 

8.14  Not6  (use  of  redundancy) 

(i)  A drawback  of  Rabin’s  public -key  scheme  is  that  the  receiver  is  faced  with  the  task 
of  selecting  the  correct  plaintext  from  among  four  possibilities.  This  ambiguity  in 
decryption  can  easily  be  overcome  in  practice  by  adding  prespecified  redundancy  to 
the  original  plaintext  prior  to  encryption.  (For  example,  the  last  64  bits  of  the  message 
may  be  replicated.)  Then,  with  high  probability,  exactly  one  of  the  four  square  roots 
mi,  m2,  m3,  TO4  of  a legitimate  ciphertext  c will  possess  this  redundancy,  and  the 
receiver  will  select  this  as  the  intended  plaintext.  If  none  of  the  square  roots  of  c 
possesses  this  redundancy,  then  the  receiver  should  reject  c as  fraudulent. 

(ii)  If  redundancy  is  used  as  above,  Rabin’s  scheme  is  no  longer  susceptible  to  the  chosen- 
ciphertext  attack  of  Note  8. 1 3(ii).  If  an  adversary  selects  a message  m having  the  re- 
quired redundancy  and  gives  c = m2  mod  n to  ,4’s  decryption  machine,  with  very 
high  probability  the  machine  will  return  the  plaintext  m itself  to  the  adversary  (since 
the  other  three  square  roots  of  c will  most  likely  not  contain  the  required  redundancy), 
providing  no  new  information.  On  the  other  hand,  if  the  adversary  selects  a message 
m which  does  not  contain  the  required  redundancy,  then  with  high  probability  none 
of  the  four  square  roots  of  c = m2  mod  n will  possess  the  required  redundancy.  In 
this  case,  the  decryption  machine  will  fail  to  decrypt  c and  thus  will  not  provide  a re- 
sponse to  the  adversary.  Note  that  the  proof  of  equivalence  of  breaking  the  modified 
scheme  by  a passive  adversary  to  factoring  is  no  longer  valid.  However,  if  the  natu- 
ral assumption  is  made  that  Rabin  decryption  is  composed  of  two  processes,  the  first 
which  finds  the  four  square  roots  of  c mod  n , and  the  second  which  selects  the  distin- 
guished square  root  as  the  plaintext,  then  the  proof  of  equivalence  holds.  Hence,  Ra- 
bin public-key  encryption,  suitably  modified  by  adding  redundancy,  is  of  great  prac- 
tical interest. 


3This  chosen-ciphertext  attack  is  an  execution  of  the  constructive  proof  of  the  equivalence  of  factoring  n and 
the  SQROOT  problem  (Fact  3.46),  where  .Is  decryption  machine  is  used  instead  of  the  hypothetical  polynomial- 
time algorithm  for  solving  the  SQROOT  problem  in  the  proof. 
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8.15  Example  ( Rabin  public-key  encryption  with  artificially  small  parameters ) 

Key  generation.  Entity  A chooses  the  primes  p = 277,  q = 331,  and  computes  n = pq  = 
91687.  A’s  public  key  is  n = 91687,  while  A’s  private  key  is  (p  = 277,  q = 331). 
Encryption.  Suppose  that  the  last  six  bits  of  original  messages  are  required  to  be  repli- 
cated prior  to  encryption  (cf.  Note  8.14(i)).  In  order  to  encrypt  the  10-bit  message  m = 
1001111001,  B replicates  the  last  six  bits  of  m to  obtain  the  16-bit  message 
?7i  = 1001111001111001,  which  in  decimal  notation  is  m = 40569.  B then  computes 

c = m2  mod  n = 405692  mod  91687  = 62111 

and  sends  this  to  A. 

Decryption.  To  decrypt  c,  A uses  Algorithm  3.44  and  her  knowledge  of  the  factors  of  n to 
compute  the  four  square  roots  of  c mod  n: 

7711  = 69654,  7/12  = 22033,  m3  = 40569,  m4  = 51118, 

which  in  binary  are 

77ii  = 10001000000010110,  m2  = 101011000010001, 

7713  = 1001111001111001,  7714  = 1100011110101110. 

Since  only  7713  has  the  required  redundancy,  A decrypts  c to  7713  and  recovers  the  original 
message  m = 1001111001.  □ 

8.1 6 Note  ( efficiency ) Rabin  encryption  is  an  extremely  fast  operation  as  it  only  involves  a sin- 
gle modular  squaring.  By  comparison,  RSA  encryption  with  e = 3 takes  one  modular  mul- 
tiplication and  one  modular  squaring.  Rabin  decryption  is  slower  than  encryption,  but  com- 
parable in  speed  to  RSA  decryption. 


8.4  EIGamal  public-key  encryption 

The  EIGamal  public-key  encryption  scheme  can  be  viewed  as  Diffie-Hellman  key  agree- 
ment (§  12.6.1)  in  key  transfer  mode  (cf.  Note  8.23(i)).  Its  security  is  based  on  the  intractabil- 
ity of  the  discrete  logarithm  problem  (see  §3.6)  and  the  Diffie-Hellman  problem  (§3.7).  The 
basic  EIGamal  and  generalized  EIGamal  encryption  schemes  are  described  in  this  section. 


8.4.1  Basic  EIGamal  encryption 

8.17  Algorithm  Key  generation  for  EIGamal  public-key  encryption 

SUMMARY:  each  entity  creates  a public  key  and  a corresponding  private  key. 

Each  entity  A should  do  the  following: 

1 . Generate  a large  random  prime  p and  a generator  a of  the  multiplicative  group  Z*  of 
the  integers  modulo  p (using  Algorithm  4.84). 

2.  Select  a random  integer  a,  1 < a < p — 2,  and  compute  a"  mod  p (using  Algo- 
rithm 2.143). 

3.  A’s  public  key  is  (p,  a , aa)\  A’s  private  key  is  a. 
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8.18  Algorithm  EIGamal  public-key  encryption 

SUMMARY:  B encrypts  a message  m for  A , which  A decrypts. 

1.  Encryption.  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  {p,  a,  aa). 

(b)  Represent  the  message  as  an  integer  to  in  the  range  {0,1,...  ,p  — 1}. 

(c)  Select  a random  integer  k,  1 < k < p — 2. 

(d)  Compute  7 = ak  mod  p and  6 = m ■ ( aa)k  mod  p. 

(e)  Send  the  ciphertext  c = (7, 6)  to  A. 

2.  Decryption.  To  recover  plaintext  to  from  c,  A should  do  the  following: 

(a)  Use  the  private  key  a to  compute  jP~1~a  mod  p (note:  7 p-i-a  = j-a  = 
a-ak). 

(b)  Recover  to  by  computing  (7““)  • S mod  p. 


Proof  that  decryption  works.  The  decryption  of  Algorithm  8.18  allows  recovery  of  original 
plaintext  because 

7_a  • S = a~akmaak  = m (mod  p). 

8.19  Example  ( EIGamal  encryption  with  artificially  small  parameters) 

Key  generation.  Entity  A selects  the  prime  p = 2357  and  a generator  a = 2 of  Zj^gy.  A 
chooses  the  private  key  a = 1751  and  computes 

q“  mod  p = 21751  mod  2357  = 1185. 

A’s  public  key  is  (p  = 2357,  a = 2,  aa  = 1185). 

Encryption.  To  encrypt  a message  to  = 2035,  B selects  a random  integer  k — 1520  and 
computes 

7 = 21520  mod  2357  = 1430 
and 

5 = 2035  ■ 11851520  mod  2357  = 697. 

B sends  7 = 1430  and  S = 697  to  A. 

Decryption.  To  decrypt,  A computes 

7p-i-a  = 1430605  mod  235?  = g72; 

and  recovers  to  by  computing 

m = 872  ■ 697  mod  2357  = 2035.  □ 

8.20  Note  ( common  system-wide  parameters)  All  entities  may  elect  to  use  the  same  prime  p 
and  generator  a,  in  which  case  p and  a need  not  be  published  as  part  of  the  public  key. 
This  results  in  public  keys  of  smaller  sizes.  An  additional  advantage  of  having  a fixed  base 
a is  that  exponentiation  can  then  be  expedited  via  precomputations  using  the  techniques 
described  in  §14.6.3.  A potential  disadvantage  of  common  system-wide  parameters  is  that 
larger  moduli  p may  be  warranted  (cf.  Note  8.24). 
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8.21  Note  (efficiency  of  ElGamal  encryption) 

(i)  The  encryption  process  requires  two  modular  exponentiations,  namely  ak  mod  p and 
( aa)k  mod  p.  These  exponentiations  can  be  sped  up  by  selecting  random  exponents 
k having  some  additional  structure,  for  example,  having  low  Hamming  weights.  Care 
must  be  taken  that  the  possible  number  of  exponents  is  large  enough  to  preclude  a 
search  via  a baby-step  giant-step  algorithm  (cf.  Note  3.59). 

(ii)  A disadvantage  of  ElGamal  encryption  is  that  there  is  message  expansion  by  a factor 
of  2.  That  is,  the  ciphertext  is  twice  as  long  as  the  corresponding  plaintext. 

8.22  Remark  (randomized  encryption)  ElGamal  encryption  is  one  of  many  encryption  schemes 
which  utilizes  randomization  in  the  encryption  process.  Others  include  McEliece  encryp- 
tion (§8.5),  and  Goldwasser-Micali  (§8.7.1),  and  Blum-Goldwasser  (§8.7.2)  probabilistic 
encryption.  Deterministic  encryption  schemes  such  as  RSA  may  also  employ  randomiza- 
tion in  order  to  circumvent  some  attacks  (e.g.,  see  §8. 2.2(h)  and  §8.2.2(iii)).  The  fundamen- 
tal idea  behind  randomized  encryption  (see  Definition  7.3)  techniques  is  to  use  randomiza- 
tion to  increase  the  cryptographic  security  of  an  encryption  process  through  one  or  more  of 
the  following  methods: 

(i)  increasing  the  effective  size  of  the  plaintext  message  space; 

(ii)  precluding  or  decreasing  the  effectiveness  of  chosen-plaintext  attacks  by  virtue  of  a 
one-to-many  mapping  of  plaintext  to  ciphertext;  and 

(hi)  precluding  or  decreasing  the  effectiveness  of  statistical  attacks  by  leveling  the  a priori 
probability  distribution  of  inputs. 

8.23  Note  (security  of  ElGamal  encryption) 

(i)  The  problem  of  breaking  the  ElGamal  encryption  scheme,  i.e.,  recovering  m given 
p,  a,  a'\  7,  and  6,  is  equivalent  to  solving  the  Diffie-Hellman  problem  (see  §3.7).  In 
fact,  the  ElGamal  encryption  scheme  can  be  viewed  as  simply  comprising  a Diffie- 
Hellman  key  exchange  to  determine  a session  key  aak,  and  then  encrypting  the  mes- 
sage by  multiplication  with  that  session  key.  For  this  reason,  the  security  of  the  El- 
Gamal encryption  scheme  is  said  to  be  based  on  the  discrete  logarithm  problem  in 
Z*,  although  such  an  equivalence  has  not  been  proven. 

(ii)  It  is  critical  that  different  random  integers  k be  used  to  encrypt  different  messages. 
Suppose  the  same  k is  used  to  encrypt  two  messages  mi  and  m2  and  the  resulting 
ciphertext  pairs  are  (71,  <5i ) and  (72,  <52)-  Then  61/62  = mi/ m2,  and  m2  could  be 
easily  computed  if  toj  were  known. 

8.24  Note  (recommended parameter  sizes)  Given  the  latest  progress  on  the  discrete  logarithm 
problem  in  Z*  (§3.6),  a 512-bit  modulus  p provides  only  marginal  security  from  concerted 
attack.  As  of  1996,  a modulus  p of  at  least  768  bits  is  recommended.  For  long-term  secu- 
rity, 1024-bit  or  larger  moduli  should  be  used.  For  common  system-wide  parameters  (cf. 
Note  8.20)  even  larger  key  sizes  may  be  warranted.  This  is  because  the  dominant  stage 
in  the  index-calculus  algorithm  (§3.6.5)  for  discrete  logarithms  in  Z*  is  the  precomputa- 
tion of  a database  of  factor  base  logarithms,  following  which  individual  logarithms  can  be 
computed  relatively  quickly.  Thus  computing  the  database  of  logarithms  for  one  particular 
modulus  p will  compromise  the  secrecy  of  all  private  keys  derived  using  p. 
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8.4.2  Generalized  EIGamal  encryption 

The  EIGamal  encryption  scheme  is  typically  described  in  the  setting  of  the  multiplicative 
group  Z*,  but  can  be  easily  generalized  to  work  in  any  finite  cyclic  group  G. 

As  with  EIGamal  encryption,  the  security  of  the  generalized  EIGamal  encryption  sch- 
eme is  based  on  the  intractability  of  the  discrete  logarithm  problem  in  the  group  G.  The 
group  G should  be  carefully  chosen  to  satisfy  the  following  two  conditions: 

1.  for  efficiency , the  group  operation  in  G should  be  relatively  easy  to  apply;  and 

2.  for  security , the  discrete  logarithm  problem  in  G should  be  computationally  infeasi- 
ble. 

The  following  is  a list  of  groups  that  appear  to  meet  these  two  criteria,  of  which  the  first 
three  have  received  the  most  attention. 

1.  The  multiplicative  group  Z*  of  the  integers  modulo  a prime  p. 

2.  The  multiplicative  group  F^m  of  the  finite  field  F 2 ™ of  characteristic  two. 

3.  The  group  of  points  on  an  elliptic  curve  over  a finite  field. 

4.  The  multiplicative  group  F*  of  the  finite  field  F,,  where  q = prn,  p a prime. 

5.  The  group  of  units  Z* , where  n is  a composite  integer. 

6.  The  jacobian  of  a hyperelliptic  curve  defined  over  a finite  field. 

7.  The  class  group  of  an  imaginary  quadratic  number  field. 


8.25  Algorithm  Key  generation  for  generalized  EIGamal  public-key  encryption 

SUMMARY:  each  entity  creates  a public  key  and  a corresponding  private  key. 

Each  entity  A should  do  the  following: 

1 . Select  an  appropriate  cyclic  group  G of  order  n,  with  generator  a.  (It  is  assumed  here 
that  G is  written  multiplicatively.) 

2.  Select  a random  integer  a,  1 < a < n — 1,  and  compute  the  group  element  aa. 

3.  A’s  public  key  is  (a,  a"),  together  with  a description  of  how  to  multiply  elements  in 
G;  A’s  private  key  is  a. 


8.26  Algorithm  Generalized  EIGamal  public-key  encryption 

SUMMARY:  B encrypts  a message  m for  A,  which  A decrypts. 

1.  Encryption.  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  (a,  aa). 

(b)  Represent  the  message  as  an  element  m of  the  group  G. 

(c)  Select  a random  integer  k,  1 < k < n — 1. 

(d)  Compute  7 = ak  and  5 = m ■ ( aa)k . 

(e)  Send  the  ciphertext  c = (7,  S)  to  A. 

2.  Decryption.  To  recover  plaintext  m from  c,  A should  do  the  following: 

(a)  Use  the  private  key  a to  compute  7°  and  then  compute  7-0. 

(b)  Recover  m by  computing  (7““)  • 6. 


8.27  Note  ( common  system-wide  parameters ) All  entities  may  elect  to  use  the  same  cyclic 
group  G and  generator  a,  in  which  case  a and  the  description  of  multiplication  in  G need 
not  be  published  as  part  of  the  public  key  (cf.  Note  8.20). 
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8.28  Example  (ElGamal  encryption  using  the  multiplicative  group  of  F2m,  with  artificially 
small  parameters) 

Key  generation.  Entity  A selects  the  group  G to  be  the  multiplicative  group  of  the  finite  field 
F24 , whose  elements  are  represented  by  the  polynomials  over  F2  of  degree  less  than  4,  and 
where  multiplication  is  performed  modulo  the  irreducible  polynomial  /(x)  = x4  + x + 1 
(cf.  Example  2.231).  For  convenience,  a field  element  a^x3  + a2x2  + aix  + ao  is  repre- 
sented by  the  binary  string  ( (13(12 aiao).  The  group  G has  order  n = 15  and  a generator  is 
a = (0010). 

A chooses  the  private  key  a = 7 and  computes  aa  = a'  = (1011).  A’s  public  key  is 
aa  = (1011)  (together  with  a = (0010)  and  the  polynomial  /(x)  which  defines  the  mul- 
tiplication in  G,  if  these  parameters  are  not  common  to  all  entities). 

Encryption.  To  encrypt  a message  m = (1100),  B selects  a random  integer  k = 11  and 
computes  7 = a 11  = (1110),  (a0)11  = (0100),  and  S = m ■ (a0)11  = (0101).  B sends 
7 = (1110)  and  S = (0101)  to  A. 

Decryption.  To  decrypt,  A computes  70  = (0100),  (70©1  = (1101)  and  finally  recovers 
mby  computing  m = (7““)  • S = (1100).  □ 


8.5  McEliece  public-key  encryption 

The  McEliece  public-key  encryption  scheme  is  based  on  error-correcting  codes.  The  idea 
behind  this  scheme  is  to  first  select  a particular  code  for  which  an  efficient  decoding  algo- 
rithm is  known,  and  then  to  disguise  the  code  as  a general  linear  code  (see  Note  12.36). 
Since  the  problem  of  decoding  an  arbitrary  linear  code  is  NP-hard  (Definition  2.73),  a de- 
scription of  the  original  code  can  serve  as  the  private  key,  while  a description  of  the  trans- 
formed code  serves  as  the  public  key. 

The  McEliece  encryption  scheme  (when  used  with  Goppa  codes)  has  resisted  crypt- 
analysis to  date.  It  is  also  notable  as  being  the  first  public-key  encryption  scheme  to  use 
randomization  in  the  encryption  process.  Although  very  efficient,  the  McEliece  encryption 
scheme  has  received  little  attention  in  practice  because  of  the  very  large  public  keys  (see 
Remark  8.33). 


8.29  Algorithm  Key  generation  for  McEliece  public-key  encryption 

SUMMARY:  each  entity  creates  a public  key  and  a corresponding  private  key. 

1.  Integers  k , n,  and  t are  fixed  as  common  system  parameters. 

2.  Each  entity  A should  perform  steps  3-7. 

3.  Choose  a k x n generator  matrix  G for  a binary  (n.  /©linear  code  which  can  correct 
t errors,  and  for  which  an  efficient  decoding  algorithm  is  known.  (See  Note  12.36.) 

4.  Select  a random  k x k binary  non-singular  matrix  S. 

5.  Select  a random  n x n permutation  matrix  P. 

6.  Compute  the  k x n matrix  G = SGP. 

7.  A’s  public  key  is  (G,  f);  A’s  private  key  is  (S',  G,  P). 
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8.30  Algorithm  McEliece  public-key  encryption 

SUMMARY:  B encrypts  a message  to  for  A , which  A decrypts. 

1.  Encryption.  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  (G . t). 

(b)  Represent  the  message  as  a binary  string  to  of  length  k. 

(c)  Choose  a random  binary  error  vector  z of  length  n having  at  most  t Vs. 

(d)  Compute  the  binary  vector  c = mG  + z. 

(e)  Send  the  ciphertext  c to  A. 

2.  Decryption.  To  recover  plaintext  to  from  c,  A should  do  the  following: 

(a)  Compute  c = cP  1 , where  P 1 is  the  inverse  of  the  matrix  P. 

(b)  Use  the  decoding  algorithm  for  the  code  generated  by  G to  decode  c to  to. 

(c)  Compute  to  = rhS -1. 


Proof  that  decryption  works.  Since 

c = cP -l  = (i mG  + z)P -l  = {mSGP  + z)p-1  = ( mS)G  + zP 

and  zP  1 is  a vector  with  at  most  t l’s,  the  decoding  algorithm  for  the  code  generated  by 
G corrects  c to  fri  — mS.  Finally,  mS  1 = to,  and,  hence,  decryption  works. 

A special  type  of  error-correcting  code,  called  a Goppa  code,  may  be  used  in  step  3 of 
the  key  generation.  For  each  irreducible  polynomial  g(x)  of  degree  t over  fVm , there  exists 
a binary  Goppa  code  of  length  n = 2m  and  dimension  k > n — mt  capable  of  correcting 
any  pattern  of  t or  fewer  errors.  Furthermore,  efficient  decoding  algorithms  are  known  for 
such  codes. 

8.31  Note  ( security  of  McEliece  encryption)  There  are  two  basic  kinds  of  attacks  known. 

(i)  From  the  public  information,  an  adversary  may  try  to  compute  the  key  G or  a key  G' 
for  a Goppa  code  equivalent  to  the  one  with  generator  matrix  G.  There  is  no  efficient 
method  known  for  accomplishing  this. 

(ii)  An  adversary  may  try  to  recover  the  plaintext  to  directly  given  some  ciphertext  c.  The 
adversary  picks  k columns  at  random  from  G.  If  G /,. , c;,.  and  Zf.  denote  the  restriction 
of  G,  c and  z,  respectively,  to  these  k columns,  then  (ck  + zif)  = mGk ■ If  Zk  = 0 and 
if  Gfc  is  non-singular,  then  to  can  be  recovered  by  solving  the  system  of  equations 
Cfc  = mGk.  Since  the  probability  that  Zk  = 0,  i.e.,  the  selected  k bits  were  not  in 
error,  is  only  (nft)  / (^) , the  probability  of  this  attack  succeeding  is  negligibly  small. 

8.32  Note  ( recommended  parameter  sizes)  The  original  parameters  suggested  by  McEliece 
were  n = 1024,  t = 50,  and  k > 524.  Based  on  the  security  analysis  (Note  8.31),  an 
optimum  choice  of  parameters  for  the  Goppa  code  which  maximizes  the  adversary’s  work 
factor  appears  to  be  n = 1024,  t = 38,  and  k > 644. 

8.33  Remark  ( McEliece  encryption  in  practice)  Although  the  encryption  and  decryption  oper- 
ations are  relatively  fast,  the  McEliece  scheme  suffers  from  the  drawback  that  the  public 
key  is  very  large.  A (less  significant)  drawback  is  that  there  is  message  expansion  by  a fac- 
tor of  n/k.  For  the  recommended  parameters  n = 1024,  t = 38,  k > 644,  the  public  key  is 
about  219  bits  in  size,  while  the  message  expansion  factor  is  about  1.6.  For  these  reasons, 
the  scheme  receives  little  attention  in  practice. 


Handbook  of  Applied  Cryptography  by  A.  Menezes,  R van  Oorschot  and  S.  Vanstone. 


300 


Ch.  8 Public-Key  Encryption 


8.6  Knapsack  public-key  encryption 

Knapsack  public-key  encryption  schemes  are  based  on  the  subset  sum  problem,  which  is 
NP-complete  (see  §2.3.3  and  §3.10).  The  basic  idea  is  to  select  an  instance  of  the  subset 
sum  problem  that  is  easy  to  solve,  and  then  to  disguise  it  as  an  instance  of  the  general  subset 
sum  problem  which  is  hopefully  difficult  to  solve.  The  original  knapsack  set  can  serve  as 
the  private  key,  while  the  transformed  knapsack  set  serves  as  the  public  key. 

The  Merkle-Hellman  knapsack  encryption  scheme  (§8.6.1)  is  important  for  historical 
reasons,  as  it  was  the  first  concrete  realization  of  a public-key  encryption  scheme.  Many 
variations  have  subsequently  been  proposed  but  most,  including  the  original,  have  been 
demonstrated  to  be  insecure  (see  Note  8.40),  a notable  exception  being  the  Chor-Rivest 
knapsack  scheme  (§8.6.2). 


8.6.1  Merkle-Hellman  knapsack  encryption 

The  Merkle-Hellman  knapsack  encryption  scheme  attempts  to  disguise  an  easily  solved  in- 
stance of  the  subset  sum  problem,  called  a superincreasing  subset  sum  problem,  by  modular 
multiplication  and  a permutation.  It  is  however  not  recommended  for  use  (see  Note  8.40). 

8.34  Definition  A superincreasing  sequence  is  a sequence  (b\,  &2, . . . ,bn)  of  positive  integers 
with  the  property  that  bt  > J2j= 1 f°r  each  i,2  <i  <n. 

Algorithm  8.35  efficiently  solves  the  subset  sum  problem  for  superincreasing  sequences. 

8.35  Algorithm  Solving  a superincreasing  subset  sum  problem 

INPUT:  a superincreasing  sequence  (61, 62,  • • ■ , bn)  and  an  integer  s which  is  the  sum  of  a 
subset  of  the 

OUTPUT:  (xi,X2,  ■ ■ ■ , xn)  where  Xi  £ {0, 1},  such  that  Y^i=  1 = s- 

1.  i«—  n. 

2.  While  i > 1 do  the  following: 

2.1  If  s > b.j  then  x.;<—  1 and  s — b $.  Otherwise  Xi<— 0. 

2.2  i<— i — 1. 

3.  Return) (xi,  x2, .. . ,x„)). 


8.36  Algorithm  Key  generation  for  basic  Merkle-Hellman  knapsack  encryption 

SUMMARY:  each  entity  creates  a public  key  and  a corresponding  private  key. 

1 . An  integer  n is  fixed  as  a common  system  parameter. 

2.  Each  entity  A should  perform  steps  3-7. 

3.  Choose  a superincreasing  sequence  (61, 62?  ■ ■ ■ > bn)  and  modulus  M such  that  M > 
bi  + b-2  + ■ • ■ + bn. 

4.  Select  a random  integer  W,  1 < W < M — 1,  such  that  gcd(IU,  M)  = 1. 

5.  Select  a random  permutation  tt  of  the  integers  {1,2,...  , n}. 

6.  Compute  o*  = Wbw^)  mod  M for  i = 1,  2, . . . , n. 

7.  A’s  public  key  is  (01,  o2, . . . , an );  A’s  private  key  is  (it,  M,  W,  (b  1, 62, . . . , bn)). 
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8.37  Algorithm  Basic  Merkle-Hellman  knapsack  public-key  encryption 

SUMMARY:  B encrypts  a message  m for  A , which  A decrypts. 

1.  Encryption.  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  (ai,  02, . . . , an). 

(b)  Represent  the  message  m as  a binary  string  of  length  n,  m = TO1TO2  • • • mn. 

(c)  Compute  the  integer  c = m\a\  + 771202  + h mnan, 

(d)  Send  the  ciphertext  c to  A. 

2.  Decryption.  To  recover  plaintext  m from  c,  A should  do  the  following: 

(a)  Compute  d = W~:c  mod  M. 

(b)  By  solving  a superincreasing  subset  sum  problem  (Algorithm  8.35),  find  inte- 
gers ri,  r2, . . . , rn,  ry  G {0, 1},  such  that  d = ri&i  + r2b2  H b rnbn. 

(c)  The  message  bits  are  rrii  = r7r(J),  £'=1,2,...  ,77. 


Proof  that  decryption  works.  The  decryption  of  Algorithm  8.37  allows  recovery  of  original 
plaintext  because 

n n 

d = W~xc  = W~Y  midi  = (mod  M). 

i=  1 i=  1 

Since  0 < d < AI,  d = 1 TOi^rr(j)  mod  M,  and  hence  the  solution  of  the  superincreas- 

ing subset  sum  problem  in  step  (b)  of  the  decryption  gives  the  message  bits,  after  application 
of  the  permutation  7r. 

8.38  Example  (basic  Merkle-Hellman  knapsack  encryption  with  artificially  small  parameters) 
Key  generation.  Let  77  = 6.  Entity  A chooses  the  superincreasing  sequence  (12, 17,  33,  74, 
157,  316),  M = 737,  W = 635,  and  the  permutation  7r  of  {1,  2,  3, 4,  5,  6}  defined  by 
7r(l)  = 3,  7t(2)  = 6,  7t(3)  = 1,  7t(4)  = 2, 7r(5)  = 5,  and  7r(6)  = 4.  A’s  public  key  is  the 
knapsack  set  (319, 196,  250,  477,  200,  559),  while  A’s  private  key  is  (7r,  M,  W,  (12, 17, 33, 
74,157,316)). 

Encryption.  To  encrypt  the  message  m = 101101,  B computes 
c = 319  + 250  + 477  + 559  = 1605 

and  sends  this  to  A. 

Decryption.  To  decrypt,  A computes  d = W 1 c mod  M = 136,  and  solves  the  superin- 
creasing subset  sum  problem 

136  = 12ri  + 17r2  + 33r3  + 74?~4  + 157rs  + 316rg 

to  get  136  = 12  + 17  + 33  + 74.  Hence,  rj  = 1,  r2  = 1, 7-3  = 1, 7-4  = 1, 7-5  = 0,  r§  = 0, 
and  application  of  the  permutation  7r  yields  the  message  bits  mi  = r%  = 1,  m2  = re  = 0, 

7773  • 7 l 1.  7774  = r2  = 1,  TO5  = 7"5  = 0,  7776  = 7‘4  = 1.  □ 

Multiple-iterated  Merkle-Hellman  knapsack  encryption 

One  variation  of  the  basic  Merkle-Hellman  scheme  involves  disguising  the  easy  superin- 
creasing sequence  by  a series  of  modular  multiplications.  The  key  generation  for  this  vari- 
ation is  as  follows. 
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8.39  Algorithm  Key  generation  for  multiple-iterated  Merkle-Hellman  knapsack  encryption 

SUMMARY:  each  entity  creates  a public  key  and  a corresponding  private  key. 

1.  Integers  n and  t are  fixed  as  common  system  parameters. 

2.  Each  entity  A should  perform  steps  3-6. 

3.  Choose  a superincreasing  sequence  (a^°\  af\  . . . , off- ) . 

4.  For  j from  I to  i do  the  following: 

4.1  Choose  a modulus  Mj  with  Mj  > a^_1)  + a^-1*  H + af~1'1. 

4.2  Select  a random  integer  Wj,  1 < Wj  < Mj  — 1,  such  that  gcd (Wj,Mj)  = 1. 

4.3  Compute  erf'1  = af  ~ 1 1 Wj  mod  Mj  for  i = 1,  2, . . . , n. 

5.  Select  a random  permutation  n of  the  integers  {1,2,...  , n}. 

6.  A’s  public  key  is  (01,02, . . . , an ),  where  o,;  = a ^ for  1,2,...  , rv,  A’s  private 

key  is  (tt,  Mi,  . . . , Mt,  Wu. , . , Wu  4°\  a(2°\  o^). 


Encryption  is  performed  in  the  same  way  as  in  the  basic  Merkle-Hellman  scheme  (Al- 
gorithm 8.37).  Decryption  is  performed  by  successively  computing  dj  = Wf1dj+\  mod 
Mj  for  j = t,t—  1, . . . ,1,  where  dt+ 1 = c.  Finally,  the  superincreasing  subset  sum  prob- 
lem d±  = riaf'1  + T2af"1  + • ■ ■ + rna„^  is  solved  for  ry,  and  the  message  bits  are  recovered 
after  application  of  the  permutation  7r. 

8.40  Note  ( insecurity  of  Merkle-Hellman  knapsack  encryption ) 

(i)  A polynomial-time  algorithm  for  breaking  the  basic  Merkle-Hellman  scheme  is 
known.  Given  the  public  knapsack  set,  this  algorithm  finds  a pair  of  integers  U\  M' 
such  that  U' /M'  is  close  to  U /M  (where  W and  M are  part  of  the  private  key,  and 
U = W~x  mod  M)  and  such  that  the  integers  6'  = [/'a;  mod  M,  1 < i < n,  form 
a superincreasing  sequence.  This  sequence  can  then  be  used  by  an  adversary  in  place 
of  (61,62,...  , bn)  to  decrypt  messages. 

(ii)  The  most  powerful  general  attack  known  on  knapsack  encryption  schemes  is  the  tech- 
nique discussed  in  §3.10.2  which  reduces  the  subset  sum  problem  to  the  problem  of 
finding  a short  vector  in  a lattice.  It  is  typically  successful  if  the  density  (see  Defi- 
nition 3.104)  of  the  knapsack  set  is  less  than  0.9408.  This  is  significant  because  the 
density  of  a Merkle-Hellman  knapsack  set  must  be  less  than  1,  since  otherwise  there 
will  in  general  be  many  subsets  of  the  knapsack  set  with  the  same  sum,  in  which  case 
some  ciphertexts  will  not  be  uniquely  decipherable.  Moreover,  since  each  iteration  in 
the  multiple-iterated  scheme  lowers  the  density,  this  attack  will  succeed  if  the  knap- 
sack set  has  been  iterated  a sufficient  number  of  times. 

Similar  techniques  have  since  been  used  to  break  most  knapsacks  schemes  that  have 
been  proposed,  including  the  multiple-iterated  Merkle-Hellman  scheme.  The  most  promi- 
nent knapsack  scheme  that  has  resisted  such  attacks  to  date  is  the  Chor-Rivest  scheme  (but 
see  Note  8.44). 


8.6.2  Chor-Rivest  knapsack  encryption 

The  Chor-Rivest  scheme  is  the  only  known  knapsack  public-key  encryption  scheme  that 
does  not  use  some  form  of  modular  multiplication  to  disguise  an  easy  subset  sum  problem. 
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8.41  Algorithm  Key  generation  for  Chor-Rivest  public-key  encryption 

SUMMARY:  each  entity  creates  a public  key  and  a corresponding  private  key. 

Each  entity  A should  do  the  following: 

1.  Select  a finite  field  ¥q  of  characteristic  p,  where  q = //'  , p > h,  and  for  which  the 
discrete  logarithm  problem  is  feasible  (see  Note  8.45(ii)). 

2.  Select  a random  monic  irreducible  polynomial  f(x)  of  degree  h over  Zp  (using  Al- 
gorithm 4.70).  The  elements  of  Fg  will  be  represented  as  polynomials  in  Zp[x\  of 
degree  less  than  h,  with  multiplication  performed  modulo  fix). 

3.  Select  a random  primitive  element  g(x)  of  the  field  Fg  (using  Algorithm  4.80). 

4.  For  each  ground  field  element  i E Zp,  find  the  discrete  logarithm  a*  = log^)  (x  + i) 
of  the  field  element  (x  + i)  to  the  base  g(x). 

5.  Select  a random  permutation  n on  the  set  of  integers  {0, 1,2,...  , p — 1}. 

6.  Select  a random  integer  d.  0 < d < ph  — 2. 

7.  Compute  c,;  = ( a + d)  mod  ( ph  — l),0<i<p  — 1. 

8.  A’s  public  key  is  ((cq,  ci,  . . . , cp-i),p,  h)\  A’s  private  key  is  (/(x),p(x),  7r,  d). 


8.42  Algorithm  Chor-Rivest  public-key  encryption 

SUMMARY:  B encrypts  a message  to  for  A , which  A decrypts. 

1.  Encryption.  B should  do  the  following: 

(a)  Obtain  A' s authentic  public  key  ((co,  ci, . . . , cp-i),p,  h). 

(b)  Represent  the  message  to  as  a binary  string  of  length  [lg  (£)  J , where  (^)  is  a 
binomial  coefficient  (Definition  2.17). 

(c)  Consider  to  as  the  binary  representation  of  an  integer.  Transform  this  integer 
into  a binary  vector  M = (Mo,  Mi, . . . , Mp  \ ) of  length  p having  exactly  h 
l’s  as  follows: 

i.  Set  Ie- h. 

ii.  For  i from  1 to  p do  the  following: 

If  to  > (P7*)  set  mi — to  — l<—l  — 1.  Otherwise, 

set  Mi_ i-f— 0.  (Note:  (”)  = 1 for  n>  0;  (°)  = 0 for  l > 1.) 

(d)  Compute  c = J^i=o  m°d  ( Ph  — 1). 

(e)  Send  the  ciphertext  c to  A. 

2.  Decryption.  To  recover  plaintext  to  from  c,  A should  do  the  following: 

(a)  Compute  r = (c  — hd)  mod  ( ph  — 1). 

(b)  Compute  u(x)  = g(x)r  mod  /(x)  (using  Algorithm  2.227). 

(c)  Compute  s(x)  = u{x)  + /(x),  a monic  polynomial  of  degree  h over  Zp. 

(d)  Factor  s(x)  into  linear  factors  over  Zp:  s(x)  = n.U*  + tj ),  where  tj  E Zp 
(cf.  Note  8.45(iv)). 

(e)  Compute  a binary  vector  M = (Mo,  Mi, . . . , Mp  \ ) as  follows.  The  com- 
ponents of  M that  are  1 have  indices  nr 1 < j < h.  The  remaining 
components  are  0. 

(f)  The  message  to  is  recovered  from  M as  follows: 

i.  Set  mE- 0,  Ie- h. 

ii.  For  i from  1 to  p do  the  following: 

If  Mi- 1 = 1 then  set  mE- to  + ( p y*)  and  Ie- l — 1. 
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Proof  that  decryption  works.  Observe  that 
u(x ) = g{x)r  mod  f(x) 

= g(x)c~hd  = g(x)^^=°  M*c0-hd  (mod  f(x)) 

= g(©(XT=o  — tld  _ gfjfjlfi— 0 ^ha7r(i)  (mod  /(x)) 

p— 1 p— 1 

= II  ltf(-r)aja:;'V,‘  = (mod  /(x)). 

2=0  2=0 

Since  + tr(i))M’  and  s(x)  are  monic  polynomials  of  degree  h and  are  congruent 

modulo  /(x),  it  must  be  the  case  that 

p- 1 

s(x)  = u(x)+f(x)  = JJ(x  + 7r(i))M\ 
i= 0 

Hence,  the  h roots  of  s(x)  all  lie  in  Zp,  and  applying  tt  1 to  these  roots  gives  the  coordinates 
of  M that  are  1 . 

8.43  Example  ( Chor-Rivest  public-key  encryption  with  artificially  small  parameters) 

Key  generation.  Entity  A does  the  following: 

1.  Selects  p = 7 and  h = 4. 

2.  Selects  the  irreducible  polynomial  /(x)  = x4  + 3x3  + 5x2  + 6x  + 2 of  degree  4 
over  Z7.  The  elements  of  the  finite  field  F74  are  represented  as  polynomials  in  Z7[x] 
of  degree  less  than  4,  with  multiplication  performed  modulo  f(x). 

3.  Selects  the  random  primitive  element  g(x)  = 3x3  + 3x2  + 6. 

4.  Computes  the  following  discrete  logarithms: 

ao  = logs(!C)(x)  =1028 
at  = logg(x)  (x  + 1)  = 1935 
a2  =logs(x)(x  + 2)  = 2054 
«3  = logff(x)(x  + 3)  = 1008 
a4  = logg(x)(x  + 4)  = 379 
«5  =logg(x)(x  + 5)  = 1780 
«6  =logff(x)(x  + 6)  = 223. 

5.  Selects  the  random  permutation  7t  on  {0, 1, 2, 3, 4,  5,  6}  defined  by  7t(0)  = 6,  7t(l)  = 
4,  7T  (2)  = 0,  7T  (3)  = 2,  7T  (4)  = 1,  7T  (5)  = 5,  7T  (6)  = 3. 

6.  Selects  the  random  integer  d = 1702. 

7.  Computes 

Co  = («6  + d)  mod  2400  = 1925 
ci  = (04  + d)  mod  2400  = 2081 
C2  = (ao  + d)  mod  2400  = 330 
C3  = (ci2  + d)  mod  2400  = 1356 
C4  = (ai  + d)  mod  2400  = 1237 
C5  = (05  + d)  mod  2400  = 1082 
C6  = (ci3  + d)  mod  2400  = 310. 
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8.  A’s  public  key  is  ((co,  Ci,  C2,  C3,  C4,  eg,  ce),p  = 7 ,h  = 4),  while  A’s  private  key  is 
{f{x),g(x),n,  d). 

Encryption.  To  encrypt  a message  m = 22  for  A , B does  the  following: 

(a)  Obtains  authentic  A’s  public  key. 

(b)  Represents  m as  a binary  string  of  length  5:  m = 10110.  (Note  that  |_lg  (})j  = 5.) 

(c)  Uses  the  method  outlined  in  step  1(c)  of  Algorithm  8.42  to  transform  m to  the  binary 
vector  M = (1,  0, 1, 1, 0,  0, 1)  of  length  7. 

(d)  Computes  c = (co  + C2  + C3  + cq)  mod  2400  = 1521. 

(e)  Sends  c = 1521  to  A. 

Decryption.  To  decrypt  the  ciphertext  c = 1521,  A does  the  following: 

(a)  Computes  r = (c  — hd)  mod  2400  = 1913. 

(b)  Computes  u(x)  = g(x)1913  mod  f(x)  = x3  + 3x2  + 2x  + 5. 

(c)  Computes  s(x)  = u(x)  + f(x)  = x4  + 4x3  + x2  + x. 

(d)  Factors  s(x)  = x(x  + 2)(x  + 3)(x  + 6)  (so  t\  = 0,  <2  = 2,  t.3  = 3,  = 6). 

(e)  The  components  of  M that  are  1 have  indices  7r_1  (0)  = 2, 7 r_1  (2)  = 3, n^1  (3)  = 6, 

and  7t_1(6)  = 0.  Hence,  M = (1,  0, 1, 1, 0,  0, 1). 

(f)  Uses  the  method  outlined  in  step  2(f)  of  Algorithm  8.42  to  transform  M to  the  integer 

m = 22,  thus  recovering  the  original  plaintext.  □ 

8.44  Note  {security  of  Chor-Rivest  encryption) 

(i)  When  the  parameters  of  the  system  are  carefully  chosen  (see  Note  8.45  and  page  318), 
there  is  no  feasible  attack  known  on  the  Chor-Rivest  encryption  scheme.  In  partic- 
ular, the  density  of  the  knapsack  set  (co,  ci, . . . , cp_i)  is  p/  lg(maxcj),  which  is 
large  enough  to  thwart  the  low-density  attacks  on  the  general  subset  sum  problem 
(§3.10.2). 

(ii)  It  is  known  that  the  system  is  insecure  if  portions  of  the  private  key  are  revealed,  for 
example,  if  g(x)  and  d in  some  representation  of  F,;  are  known,  or  if  f(x)  is  known, 
or  if  7r  is  known. 

8.45  Note  (implementation) 

(i)  Although  the  Chor-Rivest  scheme  has  been  described  only  for  the  case  p a prime,  it 
extends  to  the  case  where  the  base  field  Zp  is  replaced  by  a field  of  prime  power  order. 

(ii)  In  order  to  make  the  discrete  logarithm  problem  feasible  in  step  1 of  Algorithm  8.41, 
the  parameters  p and  h may  be  chosen  so  that  q = ph  — 1 has  only  small  factors.  In 
this  case,  the  Pohlig-Hellman  algorithm  (§3.6.4)  can  be  used  to  efficiently  compute 
discrete  logarithms  in  the  finite  field  Fq. 

(iii)  In  practice,  the  recommended  size  of  the  parameters  are  j>  200  and  h 25.  One 
particular  choice  of  parameters  originally  suggested  is  p = 197  and  h = 24;  in  this 
case,  the  largest  prime  factor  of  19724  — 1 is  10316017,  and  the  density  of  the  knap- 
sack set  is  about  1.077.  Other  parameter  sets  originally  suggested  are  {p  = 211,  h = 
24},  {p  = 35,  h = 24}  (base  field  F3b),  and  {p  = 28,  h = 25}  (base  field  F2s). 

(iv)  Encryption  is  a very  fast  operation.  Decryption  is  much  slower,  the  bottleneck  being 
the  computation  of  u(x)  in  step  2b.  The  roots  of  s(x)  in  step  2d  can  be  found  simply 
by  trying  all  possibilities  in  Zp. 

(v)  A major  drawback  of  the  Chor-Rivest  scheme  is  that  the  public  key  is  fairly  large, 
namely,  about  (ph  ■ lgp)  bits.  For  the  parameters  p = 197  and  h = 24,  this  is  about 
36000  bits. 
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(vi)  There  is  message  expansion  by  a factor  of  lg ph / lg  . For  p = 197  and  h = 24, 

this  is  1.797. 


8.7  Probabilistic  public-key  encryption 

A minimal  security  requirement  of  an  encryption  scheme  is  that  it  must  be  difficult,  in  es- 
sentially all  cases,  for  a passive  adversary  to  recover  plaintext  from  the  corresponding  ci- 
phertext. However,  in  some  situations,  it  may  be  desirable  to  impose  more  stringent  security 
requirements. 

The  RSA,  Rabin,  and  knapsack  encryption  schemes  are  deterministic  in  the  sense  that 
under  a fixed  public  key,  a particular  plaintext  m is  always  encrypted  to  the  same  ciphertext 
c.  A deterministic  scheme  has  some  or  all  of  the  following  drawbacks. 

1 . The  scheme  is  not  secure  for  all  probability  distributions  of  the  message  space.  For 
example,  in  RSA  the  messages  0 and  1 always  get  encrypted  to  themselves,  and  hence 
are  easy  to  detect. 

2.  It  is  sometimes  easy  to  compute  partial  information  about  the  plaintext  from  the  ci- 
phertext. For  example,  in  RSA  if  c = me  mod  n is  the  ciphertext  corresponding  to 
a plaintext  m,  then 


since  e is  odd,  and  hence  an  adversary  can  easily  gain  one  bit  of  information  about 
m,  namely  the  Jacobi  symbol 

3.  It  is  easy  to  detect  when  the  same  message  is  sent  twice. 

Of  course,  any  deterministic  encryption  scheme  can  be  converted  into  a randomized 
scheme  by  requiring  that  a portion  of  each  plaintext  consist  of  a randomly  generated  bit- 
string of  a pre-specified  length  l.  If  the  parameter  l is  chosen  to  be  sufficiently  large  for  the 
purpose  at  hand,  then,  in  practice,  the  attacks  listed  above  are  thwarted.  However,  the  re- 
sulting randomized  encryption  scheme  is  generally  not  provably  secure  against  the  different 
kinds  of  attacks  that  one  could  conceive. 

Probabilistic  encryption  utilizes  randomness  to  attain  a provable  and  very  strong  level 
of  security.  There  are  two  strong  notions  of  security  that  one  can  strive  to  achieve. 

8.46  Definition  A public -key  encryption  scheme  is  said  to  be  polynomially  secure  if  no  passive 
adversary  can,  in  expected  polynomial  time,  select  two  plaintext  messages  m-i  and  m2  and 
then  correctly  distinguish  between  encryptions  of  mj  and  m2  with  probability  significantly 
greater  than  -7. 

8.47  Definition  A public-key  encryption  scheme  is  said  to  be  semantically  secure  if,  for  all 
probability  distributions  over  the  message  space,  whatever  a passive  adversary  can  compute 
in  expected  polynomial  time  about  the  plaintext  given  the  ciphertext,  it  can  also  compute 
in  expected  polynomial  time  without  the  ciphertext. 

Intuitively,  a public-key  encryption  scheme  is  semantically  secure  if  the  ciphertext  does 
not  leak  any  partial  information  whatsoever  about  the  plaintext  that  can  be  computed  in 
expected  polynomial  time. 
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8.48  Remark  (perfect  secrecy  vs.  semantic  security)  In  Shannon's  theory  (see  § 1 . 1 3.3(i)),  an 
encryption  scheme  has  perfect  secrecy  if  a passive  adversary,  even  with  infinite  computa- 
tional resources,  can  learn  nothing  about  the  plaintext  from  the  ciphertext,  except  possibly 
its  length.  The  limitation  of  this  notion  is  that  perfect  secrecy  cannot  be  achieved  unless  the 
key  is  at  least  as  long  as  the  message.  By  contrast,  the  notion  of  semantic  security  can  be 
viewed  as  a polynomially  bounded  version  of  perfect  secrecy  — a passive  adversary  with 
polynomially  bounded  computational  resources  can  learn  nothing  about  the  plaintext  from 
the  ciphertext.  It  is  then  conceivable  that  there  exist  semantically  secure  encryption  sch- 
emes where  the  keys  are  much  shorter  that  the  messages. 

Although  Definition  8.47  appears  to  be  stronger  than  Definition  8.46,  the  next  result 
asserts  that  they  are,  in  fact,  equivalent. 

8.49  Fact  A public-key  encryption  scheme  is  semantically  secure  if  and  only  if  it  is  polynomi- 
ally secure. 


8.7.1  Goldwasser-Micali  probabilistic  encryption 

The  Goldwasser-Micali  scheme  is  a probabilistic  public-key  system  which  is  semantically 
secure  assuming  the  intractability  of  the  quadratic  residuosity  problem  (see  §3.4). 


8.50  Algorithm  Key  generation  for  Goldwasser-Micali  probabilistic  encryption 

SUMMARY:  each  entity  creates  a public  key  and  corresponding  private  key. 

Each  entity  A should  do  the  following: 

1 . Select  two  large  random  (and  distinct)  primes  p and  q,  each  roughly  the  same  size. 

2.  Compute  n = pq. 

3.  Select  a y £ Z„  such  that  y is  a quadratic  non-residue  modulo  n and  the  Jacobi  sym- 
bol (jy  = 1 (y  is  a pseudosquare  modulo  n);  see  Remark  8.54. 

4.  A’s  public  key  is  ( n , y)\  A’s  private  key  is  the  pair  ( p , q). 


8.51  Algorithm  Goldwasser-Micali  probabilistic  public-key  encryption 
SUMMARY:  B encrypts  a message  m for  A , which  A decrypts. 

1.  Encryption.  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  [n,  y). 

(b)  Represent  the  message  m as  a binary  string  m = mim-2  • ■ • m*  of  length  t. 

(c)  For  i from  1 to  t do: 

i.  Pick  an  x e Z*  at  random. 

ii.  If  m.j  = 1 then  set  Ci<—yx2  mod  n;  otherwise  set  Cjt—  x2  mod  n. 

(d)  Send  the  Utuple  c = (ci,  C2, «. . , ct)  to  A. 

2.  Decryption.  To  recover  plaintext  m from  c,  A should  do  the  following: 

(a)  For  i from  1 to  t do: 

i.  Compute  the  Legendre  symbol  e,  = (^j  (using  Algorithm  2.149). 

ii.  If  e,j  = 1 then  set  m.;t—  0;  otherwise  set  m.jt— 1. 

(b)  The  decrypted  message  is  m = mi  m2  • • • mj. 


Handbook  of  Applied  Cryptography  by  A.  Menezes,  P.  van  Oorschot  and  S.  Vanstone. 


308 


Ch.  8 Public-Key  Encryption 


Proof  that  decryption  works.  If  a message  bit  m,-  is  0,  then  c,;  = x2  mod  n is  a quadratic 
residue  modulo  n.  If  a message  bit  m,  is  1,  then  since  y is  a pseudosquare  modulo  n, 
Ci  = yx2  mod  n is  also  a pseudosquare  modulo  n.  By  Fact  2.137,  c,  is  a quadratic  residue 
modulo  n if  and  only  if  c,  is  a quadratic  residue  modulo  p,  or  equivalently  (y)  = 1.  Since 
A knows  p,  she  can  compute  this  Legendre  symbol  and  hence  recover  the  message  bit  rri, . 

8.52  Note  ( security  of  Goldwasser-Micali probabilistic  encryption)  Since  x is  selected  at  ran- 
dom from  Z* , x2  mod  n is  a random  quadratic  residue  modulo  n,  and  yx2  mod  n is  a ran- 
dom pseudosquare  modulo  n.  Hence,  an  eavesdropper  sees  random  quadratic  residues  and 
pseudosquares  modulo  n.  Assuming  that  the  quadratic  residuosity  problem  is  difficult,  the 
eavesdropper  can  do  no  better  that  guess  each  message  bit.  More  formally,  if  the  quadratic 
residuosity  problem  is  hard,  then  the  Goldwasser-Micali  probabilistic  encryption  scheme  is 
semantically  secure. 

8.53  Note  (message  expansion)  A major  disadvantage  of  the  Goldwasser-Micali  scheme  is  the 
message  expansion  by  a factor  of  lg  n bits.  Some  message  expansion  is  unavoidable  in  a 
probabilistic  encryption  scheme  because  there  are  many  ciphertexts  corresponding  to  each 
plaintext.  Algorithm  8.56  is  a major  improvement  of  the  Goldwasser-Micali  scheme  in  that 
the  plaintext  is  only  expanded  by  a constant  factor. 

8.54  Remark  (finding  pseudosquares)  A pseudosquare  y modulo  n can  be  found  as  follows. 
First  find  a quadratic  non-residue  a modulo  p and  a quadratic  non-residue  b modulo  q (see 
Remark  2.151).  Then  use  Gauss’s  algorithm  (Algorithm  2.121)  to  compute  the  integer  y, 
0 < y < n — 1,  satisfying  the  simultaneous  congruences  y = a (mod  p),y  = b (mod  q). 
Since  y (=  a (mod  p) ) is  a quadratic  non-residue  modulo  p,  it  is  also  a quadratic  non- 
residue modulo  n (Fact  2.137).  Also,  by  the  properties  of  the  Legendre  and  Jacobi  symbols 
(§2.4.5),  (((-)  = 00  00  = ( — 1)(  — 1)  = 1.  Hence,  y is  a pseudosquare  modulo  n. 


8.7.2  Blum-Goldwasser  probabilistic  encryption 

The  Blum-Goldwasser  probabilistic  public-key  encryption  scheme  is  the  most  efficient 
probabilistic  encryption  scheme  known  and  is  comparable  to  the  RSA  encryption  scheme, 
both  in  terms  of  speed  and  message  expansion.  It  is  semantically  secure  (Definition  8.47) 
assuming  the  intractability  of  the  integer  factorization  problem.  It  is,  however,  vulnerable 
to  a chosen-ciphertext  attack  (see  Note  8.58(iii)).  The  scheme  uses  the  Blum-Blum-Shub 
generator  (§5.5.2)  to  generate  a pseudorandom  bit  sequence  which  is  then  XORed  with  the 
plaintext.  The  resulting  bit  sequence,  together  with  an  encryption  of  the  random  seed  used, 
is  transmitted  to  the  receiver  who  uses  his  trapdoor  information  to  recover  the  seed  and  sub- 
sequently reconstruct  the  pseudorandom  bit  sequence  and  the  plaintext. 


8.55  Algorithm  Key  generation  for  Blum-Goldwasser  probabilistic  encryption 

SUMMARY:  each  entity  creates  a public  key  and  a corresponding  private  key. 

Each  entity  A should  do  the  following: 

1.  Select  two  large  random  (and  distinct)  primes  p.  q.  each  congruent  to  3 modulo  4. 

2.  Compute  n = pq. 

3.  Use  the  extended  Euclidean  algorithm  (Algorithm  2.107)  to  compute  integers  a and 
b such  that  ap  + bq  = 1. 

4.  A’s  public  key  is  n;  A’s  private  key  is  (p,  q,  a,  b ). 
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8.56  Algorithm  Blum-Goldwasser  probabilistic  public-key  encryption 
SUMMARY:  B encrypts  a message  to  for  A , which  A decrypts. 

1.  Encryption.  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  n. 

(b)  Let  k = [_lg  ri\  and  h = [_lg  k\ . Represent  the  message  to  as  a string  to  = 
TO1TO2  ■ ■ ■ mt  of  length  t,  where  each  to,;  is  a binary  string  of  length  h. 

(c)  Select  as  a seed  xo,  a random  quadratic  residue  modulo  n.  (This  can  be  done 
by  selecting  a random  integer  r £ Z*  and  setting  xo-<— r2  mod  n.) 

(d)  For  i from  1 to  t do  the  following: 

i.  Compute  x,-  = xf_1  mod  n. 

ii.  Let  pi  be  the  h least  significant  bits  of  x,. 

iii.  Compute  Ci  = pi  © rrii. 

(e)  Compute  xt+ 1 = x2  mod  n. 

(f)  Send  the  ciphertext  c = (ci,  C2, . . . , q,  xt+i)  to  A. 

2.  Decryption.  To  recover  plaintext  to  from  c,  A should  do  the  following: 

(a)  Compute  di  = ({p  + l)/4)t+1  mod  (jp  — 1). 

(b)  Compute  d2  = (( q + l)/4)t+1  mod  (q  — 1). 

(c)  Compute  u = x^j_j  mod  p. 

(d)  Compute  v = xf2vl  mod  q. 

(e)  Compute  xo  = vap  + ubq  mod  n. 

(f)  For  i from  1 to  t do  the  following: 

i.  Compute  x,:  = x2  1 mod  n. 

ii.  Let  pi  be  the  h least  significant  bits  of  x, . 

iii.  Compute  to,  = p,  © c4. 


Proof  that  decryption  works.  Since  xt  is  a quadratic  residue  modulo  n,  it  is  also  a quadratic 
residue  modulo  p;  hence,  x[p  = 1 (mod  p).  Observe  that 

xt+i1^4  — (xt.  )^p+1^4  = XfP+1)/2  = xf  1)/2xt  = xt  (mod  p). 

Similarly,  X(P+1',/4  = xj_  1 (mod  p)  and  so 

xt(^+1)/4)  = xt_i  (mod  p). 

Repeating  this  argument  yields 

u = x^  = = xo  (mod  p). 

Analogously, 

v = x^j  = xo  (mod  q). 

Finally,  since  a.p  + bq  = 1,  vap  + ubq  = xq  (mod  p)  and  vap  + ubq  = xo  (mod  q). 
Flence,  xo  = vap  + ubq  mod  n.  and  A recovers  the  same  random  seed  that  B used  in  the 
encryption,  and  consequently  also  recovers  the  original  plaintext. 

8.57  Example  (Blum-Goldwasser  probabilistic  encryption  with  artificially  small  parameters) 
Key  generation.  Entity  A selects  the  primes  p = 499,  q — 547,  each  congruent  to  3 modulo 
4,  and  computes  n = pq  = 272953.  Using  the  extended  Euclidean  algorithm,  A computes 
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the  integers  a = —57,  b = 52  satisfying  ap  + bq  = 1.  A’s  public  key  is  n = 272953,  while 
A’s  private  key  is  (p,  q,  a,  b). 

Encryption.  The  parameters  k and  h have  the  values  18  and  4,  respectively.  B represents 
the  message  m as  a string  miro2m3ra4m5  ( t = 5)  where  mi  = 1001,  m2  = 1100,  m3  = 
0001,  777,4  — 0000,  m5  = 1100.  B then  selects  a random  quadratic  residue  x0  = 159201 
(=  3992  mod  n),  and  computes: 


i 

Xi  = xf_1  mod  n 

Pi 

Ci  = Pi®  rrii 

1 

180539 

1011 

0010 

2 

193932 

1100 

0000 

3 

245613 

1101 

1100 

4 

130286 

1110 

1110 

5 

40632 

1000 

0100 

and  xg  = x|  mod  n = 139680.  B sends  the  ciphertext 

c = (0010,0000,1100,1110,0100,139680) 

to  A. 

Decryption.  To  decrypt  c,  A computes 

di  = ((p  + l)/4)6  mod  (p  — 1)  = 463 

d2  = ((q  + l)/4)6  mod  (q-  1)  = 337 

u = Xg63  mod  p =20 

v = Xg37  mod  q =24 

xo  = vap  + ubq  mod  n = 159201. 

Finally,  A uses  xo  to  construct  the  x,  and  p,  just  as  B did  for  encryption,  and  recovers  the 

plaintext  m,;  by  XORing  the  p,  with  the  ciphertext  blocks  c, . □ 

8.58  Note  ( security  of  Blum-Goldwasser  probabilistic  encryption) 

(i)  Observe  first  that  n is  a Blum  integer  (Definition  2.156).  An  eavesdropper  sees  the 
quadratic  residue  xt+1.  Assuming  that  factoring  n is  difficult,  the  h least  significant 
bits  of  the  principal  square  root  xt  of  x(+i  modulo  n are  simultaneously  secure  (see 
Definition  3.82  and  Fact  3.89).  Thus  the  eavesdropper  can  do  no  better  than  to  guess 
the  pseudorandom  bits  pi,  1 < i < t.  More  formally,  if  the  integer  factorization 
problem  is  hard,  then  the  Blum-Goldwasser  probabilistic  encryption  scheme  is  se- 
mantically secure.  Note,  however,  that  for  a modulus  n of  a fixed  bitlength  (e.g., 
1024  bits),  this  statement  is  no  longer  tme,  and  the  scheme  should  only  be  consid- 
ered computationally  secure. 

(ii)  As  of  1996,  the  modulus  n should  be  at  least  1024  bits  in  length  if  long-term  security 
is  desired  (cf.  Note  8.7).  If  n is  a 1025-bit  integer,  then  k = 1024  and  h = 10. 

(iii)  As  with  the  Rabin  encryption  scheme  (Algorithm  8.11),  the  Blum-Goldwasser  sch- 
eme is  also  vulnerable  to  a chosen-ciphertext  attack  that  recovers  the  private  key  from 
the  public  key.  It  is  for  this  reason  that  the  Blum-Goldwasser  scheme  has  not  received 
much  attention  in  practice. 

8.59  Note  ( efficiency  of  Blum-Goldwasser  probabilistic  encryption) 

(i)  Unlike  Goldwasser-Micali  encryption,  the  ciphertext  in  Blum-Goldwasser  encryp- 
tion is  only  longer  than  the  plaintext  by  a constant  number  of  bits,  namely  k + 1 (the 
size  in  bits  of  the  integer  xi+1). 
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(ii)  The  encryption  process  is  quite  efficient  — it  takes  only  1 modular  multiplication 
to  encrypt  h bits  of  plaintext.  By  comparison,  the  RSA  encryption  process  (Algo- 
rithm 8.3)  requires  1 modular  exponentiation  i rn'  mod  n)  to  encrypt  k bits  of  plain- 
text. Assuming  that  the  parameter  e is  randomly  chosen  and  assuming  that  an  (unop- 
timized) modular  exponentiation  takes  3fc/2  modular  multiplications,  this  translates 
to  an  encryption  rate  for  RSA  of  2/3  bits  per  modular  multiplication.  If  one  chooses 
a special  value  for  e,  such  as  e = 3 (see  Note  8.9),  then  RSA  encryption  is  faster  than 
Blum-Goldwasser  encryption. 

(iii)  Blum-Goldwasser  decryption  (step  2 of  Algorithm  8.56)  is  also  quite  efficient,  requir- 
ing 1 exponentiation  modulo  p — 1 (step  2a),  1 exponentiation  modulo  q — 1 (step  2b), 
1 exponentiation  modulo  p (step  2c),  1 exponentiation  modulo  q (step  2d),  and  t mul- 
tiplications modulo  n (step  2f)  to  decrypt  ht  ciphertext  bits.  (The  time  to  perform 
step  2e  is  negligible.)  By  comparison,  RSA  decryption  (step  2 of  Algorithm  8.3)  re- 
quires 1 exponentiation  modulo  n (which  can  be  accomplished  by  doing  1 exponen- 
tiation modulo  p and  1 exponentiation  modulo  q)  to  decrypt  k ciphertext  bits.  Thus, 
for  short  messages  (<  k bits),  Blum-Goldwasser  decryption  is  slightly  slower  than 
RSA  decryption,  while  for  longer  messages,  Blum-Goldwasser  is  faster. 


8.7.3  Plaintext-aware  encryption 

While  semantic  security  (Definition  8.47)  is  a strong  security  requirement  for  public-key 
encryption  schemes,  there  are  other  measures  of  security. 

8.60  Definition  A public-key  encryption  scheme  is  said  to  be  non-malleable  if  given  a cipher- 
text,  it  is  computationally  infeasible  to  generate  a different  ciphertext  such  that  the  respec- 
tive plaintexts  are  related  in  a known  manner. 

8.61  Fact  If  a public-key  encryption  scheme  is  non-malleable,  it  is  also  semantically  secure. 

Another  notion  of  security  is  that  of  being  plaintext-aware.  In  Definition  8.62,  valid  ci- 
phertext means  those  ciphertext  which  are  the  encryptions  of  legitimate  plaintext  messages 
(e.g.  messages  containing  pre-specified  forms  of  redundancy). 

8.62  Definition  A public-key  encryption  scheme  is  said  to  be  plaintext-aware  if  it  is  computa- 
tionally infeasible  for  an  adversary  to  produce  a valid  ciphertext  without  knowledge  of  the 
corresponding  plaintext. 

In  the  “random  oracle  model”,  the  property  of  being  plaintext-aware  is  a strong  one 
— coupled  with  semantic  security,  it  can  be  shown  to  imply  that  the  encryption  scheme  is 
non-malleable  and  also  secure  against  adaptive  chosen-ciphertext  attacks.  Note  8.63  gives 
one  method  of  transforming  any  fc-bit  to  fc-bit  trapdoor  one-way  permutation  (such  as  RSA) 
into  an  encryption  scheme  that  is  plaintext-aware  and  semantically  secure. 

8.63  Note  (Bellare-Rogaway plaintext-aware  encryption)  Let  / be  a fc-bit  to  fc-bit  trapdoor  one- 
way permutation  (such  as  RSA).  Let  fco  and  fci  be  parameters  such  that  2k°  and  2fel  steps 
each  represent  infeasible  amounts  of  work  (e.g.,  fco  = fci  = 128).  The  length  of  the  plain- 
text m is  fixed  to  be  n = k — fco  — fci  (e.g.,  for  fc  = 1024,  n = 768).  Let  G : {0,  l}fe°  — > 
{0,  l}?l+fel  and  H : {0,  l}"+fcl  — > {0,  l}fe°  be  random  functions.  Then  the  encryption 
function,  as  depicted  in  Figure  8.1,  is 

E(m)  = f({m0kl  ® G(r)}  ||  {r  ffi  H(m0kl  ® G(r))}), 
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where  mOkl  denotes  m concatenated  with  a string  of  0’s  of  bitlength  k\,  r is  a random  bi- 
nary string  of  bitlength  fc(),  and  ||  denotes  concatenation. 


mO 

n + k 


© 


mOkl  0 G(r) 


k0 


T 


ii  + k o + k i 


r 0 H(mOkl  0 G(r)) 


© 


E(r 


m plaintext 
r random  bit  string 
E(m)  ciphertext 


Figure  8.1 : Bellare-Rogaway  plaintext-aware  encryption  scheme. 

Under  the  assumption  that  G and  H are  random  functions,  the  encryption  scheme  E of 
Note  8.63  can  be  proven  to  be  plaintext-aware  and  semantically  secure.  In  practice,  G and 
H can  be  derived  from  a cryptographic  hash  function  such  as  the  Secure  Hash  Algorithm 
(§9.4.2(iii)).  In  this  case,  the  encryption  scheme  can  no  longer  be  proven  to  be  plaintext- 
aware  because  the  random  function  assumption  is  not  true;  however,  such  a scheme  appears 
to  provides  greater  security  assurances  than  those  designed  using  ad  hoc  techniques. 


8.8  Notes  and  further  references 

§8.1 

For  an  introduction  to  public-key  cryptography  and  public-key  encryption  in  particular,  see 
§1.8.  A particularly  readable  introduction  is  the  survey  by  Diffie  [343].  Historical  notes  on 
public-key  cryptography  are  given  in  the  notes  to  §1.8  on  page  47.  A comparison  of  the 
features  of  public-key  and  symmetric-key  encryption  is  given  in  §1.8.4;  see  also  §13.2.5. 

Other  recent  proposals  for  public-key  encryption  schemes  include  those  based  on  finite  au- 
tomata (Renji  [1032]);  hidden  field  equations  (Patarin  [965]);  and  isomorphism  of  polyno- 
mials (Patarin  [965]). 

§8.2 

The  RSA  cryptosystem  was  invented  in  1977  by  Rivest,  Shamir,  and  Adleman  [1060].  Kal- 
iski  and  Robshaw  [655]  provide  an  overview  of  the  major  attacks  on  RSA  encryption  and 
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signatures,  and  the  practical  methods  of  counteracting  these  threats. 

The  computational  equivalence  of  computing  the  decryption  exponent  d and  factoring  n 
(§8.2. 2(i))  was  shown  by  Rivest,  Shamir  and  Adleman  [1060],  based  on  earlier  work  by 
Miller  [876]. 

The  attack  on  RS  A with  small  encryption  exponent  (§8. 2.2(h))  is  discussed  by  Hastad  [544], 
who  showed  more  generally  that  sending  the  encryptions  of  more  than  e(e  + l)/2  linearly 
related  messages  (messages  of  the  form  (aim  + 6,),  where  the  a*  and  b.,  are  known)  en- 
ables an  eavesdropper  to  recover  the  messages  provided  that  the  moduli  n,  satisfy  n,  > 
2(e+1He+2)/4(e-p  1)0+! ).  Hastad  also  showed  that  sending  three  linearly  related  messages 
using  the  Rabin  public-key  encryption  scheme  (Algorithm  8.11)  is  insecure. 

The  attack  on  RSA  with  small  decryption  exponent  d (§8.2.2(iv))  is  due  to  Wiener  [1240]. 
Wiener  showed  that  his  attack  can  be  avoided  if  the  encryption  exponent  e is  chosen  to  be 
at  least  50%  longer  than  the  modulus  n.  In  this  case,  d should  be  at  least  160  bits  in  length 
to  avoid  the  square -root  discrete  logarithm  algorithms  such  as  Pollard’s  rho  algorithm  (Al- 
gorithm 3.60)  and  the  parallelized  variant  of  van  Oorschot  and  Wiener  [1207]. 

The  adaptive  chosen-ciphertext  attack  on  RSA  encryption  (§8.2.2(v))  is  due  to  Davida 
[302].  See  also  the  related  discussion  in  Denning  [327].  Desmedt  and  Odlyzko  [341]  de- 
scribed an  indifferent  chosen-ciphertext  attack  in  which  the  adversary  has  to  obtain  the 
plaintext  corresponding  to  about  Ln  \\ , \\  carefully  chosen-ciphertext,  subsequent  to  which 
it  can  decrypt  all  further  ciphertext  in  Ln[^,^]  time  without  having  to  use  the  authorized 
user’s  decryption  machine. 

The  common  modulus  attacks  on  RSA  (§8.2.2(vi))  are  due  to  DeLaurentis  [320]  and  Sim- 
mons [1137]. 

The  cycling  attack  (§8. 2.2(vii))  was  proposed  by  Simmons  and  Norris  [1151].  Shortly  after, 
Rivest  [1052]  showed  that  the  cycling  attack  is  extremely  unlikely  to  succeed  if  the  primes 
p and  q are  chosen  so  that:  (i)  p — 1 and  q — 1 have  large  prime  factors  p'  and  q\  respec- 
tively; and  (ii)  p'  — 1 and  q'  — 1 have  large  prime  factors  p"  and  q" , respectively.  Maurer 
[818]  showed  that  condition  (ii)  is  unnecessary.  Williams  and  Schmid  [1249]  proposed  the 
generalized  cycling  attack  and  showed  that  this  attack  is  really  a factoring  algorithm.  Rivest 
[1051]  provided  heuristic  evidence  that  if  the  primes  p and  q are  selected  at  random,  each 
having  the  same  bitlength,  then  the  expected  time  before  the  generalized  cycling  attack  suc- 
ceeds is  at  least  p1/3. 

The  note  on  message  concealing  (§8.2.2(viii))  is  due  to  Blakley  and  Borosh  [150],  who  also 
extended  this  work  to  all  composite  integers  n and  determined  the  number  of  deranging 
exponents  for  a fixed  n,  i.e.,  exponents  e for  which  the  number  of  unconcealed  messages  is 
the  minimum  possible.  For  further  work  see  Smith  and  Palmer  [1158]. 

Suppose  that  two  or  more  plaintext  messages  which  have  a (known)  polynomial  relation- 
ship (e.g.  mi  and  m2  might  be  linearly  related : mi  = om.2  + b)  are  encrypted  with  the 
same  small  encryption  exponent  (e.g.  e = 3 or  e = 216  + 1).  Coppersmith  et  al.  [277] 
presented  a new  class  of  attacks  on  RSA  which  enable  a passive  adversary  to  recover  such 
plaintext  from  the  corresponding  ciphertext.  This  attack  is  of  practical  significance  because 
various  cryptographic  protocols  have  been  proposed  which  require  the  encryption  of  poly- 
nomially  related  messages.  Examples  include  the  key  distribution  protocol  of  Tatebayashi, 
Matsuzaki,  and  Newman  [1188],  and  the  verifiable  signature  scheme  of  Franklin  and  Reiter 
[421].  Note  that  these  attacks  are  different  from  those  of  §8.2.2(ii)  and  §8.2.2(vi)  where  the 
same  plaintext  is  encrypted  under  different  public  keys. 

Coppersmith  [274]  presented  an  efficient  algorithm  for  finding  a root  of  a polynomial  of  de- 
gree k over  Zn,  where  n is  an  RSA-like  modulus,  provided  that  there  there  is  a root  smaller 
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than  n1/,\  The  algorithm  yielded  the  following  two  attacks  on  RSA  with  small  encryption 
exponents.  If  e = 3 and  if  an  adversary  knows  a ciphertext  c and  more  than  2/3  of  the  plain- 
text m corresponding  to  c,  then  the  adversary  can  efficiently  recover  the  rest  of  m.  Suppose 
now  that  messages  are  padded  with  random  bitstrings  and  encrypted  with  exponent  e = 3. 
If  an  adversary  knows  two  ciphertexts  c\  and  Co  which  correspond  to  two  encryptions  of 
the  same  message  m (with  different  padding),  then  the  adversary  can  efficiently  recovery 
m,  provided  that  the  padding  is  less  than  1/9  of  the  length  of  n.  The  latter  attack  suggests 
that  caution  must  be  exercised  when  using  random  padding  in  conjunction  with  a small  en- 
cryption exponent. 

Let  n = pq  be  a fc-bit  RSA  modulus,  where  p and  q are  k/ 2-bit  primes.  Coppersmith  [273] 
showed  how  n can  be  factored  in  polynomial  time  if  the  high  order  k /4  bits  of  p are  known. 
This  improves  an  algorithm  of  Rivest  and  Shamir  [1058],  which  requires  knowledge  of  the 
high  order  k/3  bits  of  p.  For  related  theoretical  work,  see  Maurer  [814],  One  implication  of 
Coppersmith’s  result  is  that  the  method  of  Vanstone  and  Zuccherato  [1214]  for  generating 
RSA  moduli  having  a predetermined  set  of  bits  is  insecure. 

A trapdoor  in  the  RSA  cryptosystem  was  proposed  by  Anderson  [26]  whereby  a hardware 
device  generates  the  RSA  modulus  n = pq  in  such  a way  that  the  hardware  manufacturer 
can  easily  factor  n,  but  factoring  n remains  difficult  for  all  other  parties.  However,  Kaliski 
[652]  subsequently  showed  how  to  efficiently  detect  such  trapdoors  and,  in  some  cases,  to 
actually  factor  the  modulus. 

The  arguments  and  recommendations  about  the  use  of  strong  primes  in  RSA  key  generation 
(Note  8.8)  are  taken  from  the  detailed  article  by  Rivest  [1051], 

Shamir  [1117]  proposed  a variant  of  the  RSA  encryption  scheme  called  unbalanced  RSA , 
which  makes  it  possible  to  enhance  security  by  increasing  the  modulus  size  (e.g.  from  500 
bits  to  5000  bits)  without  any  deterioration  in  performance.  In  this  variant,  the  public  mod- 
ulus n is  the  product  of  two  primes  p and  q,  where  one  prime  (say  q)  is  significantly  larger 
in  size  than  the  other;  plaintext  messages  m are  in  the  interval  [0.  p — 1],  For  concrete- 
ness, consider  the  situation  where  p is  a 500-bit  prime,  and  q is  a 4500-bit  prime.  Fac- 
toring such  a 5000-bit  modulus  n is  well  beyond  the  reach  of  the  special-purpose  elliptic 
curve  factoring  algorithm  of  §3.2.4  (whose  running  time  depends  on  the  size  of  the  smallest 
prime  factor  of  n)  and  general-purpose  factoring  algorithms  such  as  the  number  field  sieve 
of  §3.2.7.  Shamir  recommends  that  the  encryption  exponent  e be  in  the  interval  [20, 100], 
which  makes  the  encryption  time  with  a 5000-bit  modulus  comparable  to  the  decryption 
time  with  a 500-bit  modulus.  Decryption  of  the  ciphertext  c (=  md  mod  n)  is  accom- 
plished by  computing  m\  — cdl  mod  p,  where  d\  = d mod  (p  — 1).  Since  0 < m < p, 
mi  is  in  fact  equal  to  m.  Decryption  in  unbalanced  RSA  thus  only  involves  one  exponenti- 
ation modulo  a 500-bit  prime,  and  takes  the  same  time  as  decryption  in  ordinary  RSA  with  a 
500-bit  modulus.  This  optimization  does  not  apply  to  the  RSA  signature  scheme  (§11.3.1), 
since  the  verifier  does  not  know  the  factor  p of  the  public  modulus  n. 

A permutation  polynomial  of  Z„  is  a polynomial  f(x)  £ Zn[x\  which  induces  a permuta- 
tion of  Z„  upon  substitution  of  the  elements  of  Z„;  that  is,  {/(o)|o  £ Z„}  = Z„.  In  RSA 
encryption  the  permutation  polynomial  xe  of  Z„  is  used,  where  gcd(e,  &)  — 1.  Muller  and 
Nobauer  [910]  suggested  replacing  the  polynomial  xe  by  the  so-called  Dickson  polynomi- 
als to  create  a modified  RSA  encryption  scheme  called  the  Dickson  scheme.  The  Dickson 
scheme  was  further  studied  by  Muller  and  Nobauer  [909].  Other  suitable  classes  of  permu- 
tation polynomials  were  investigated  by  Lidl  and  Muller  [763].  Smith  and  Lennon  [1161] 
proposed  an  analogue  of  the  RSA  cryptosystem  called  LUC  which  is  based  on  Lucas  se- 
quences. Due  to  the  relationships  between  Dickson  polynomials  and  the  Lucas  sequences. 
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the  LUC  cryptosystem  is  closely  related  to  the  Dickson  scheme.  Bleichenbacher,  Bosma, 
and  Lenstra  [154]  presented  a chosen-message  attack  on  the  LUC  signature  scheme,  under- 
mining the  primary  advantage  claimed  for  LUC  over  RSA.  Pinch  [976,  977]  extended  the 
attacks  on  RSA  with  small  encryption  exponent  (§8.2.2(ii))  and  small  decryption  exponent 
(§8.2.2(iv))  to  the  LUC  system. 

An  analogue  of  the  RSA  cryptosystem  which  uses  special  kinds  of  elliptic  curves  over  Zn, 
where  n is  a composite  integer,  was  proposed  by  Koyama  et  al.  [708].  Demytko  [321]  pre- 
sented an  analogue  where  there  is  very  little  restriction  on  the  types  of  elliptic  curves  that 
can  be  used.  A new  cryptosystem  based  on  elliptic  curves  over  1n  in  which  the  message  is 
held  in  the  exponent  instead  of  the  group  element  was  proposed  by  Vanstone  and  Zuccherato 
[1213].  The  security  of  all  these  schemes  is  based  on  the  difficulty  of  factoring  n.  Kuro- 
sawa, Okada,  and  Tsujii  [721]  showed  that  the  encryption  schemes  of  Koyama  et  al.  and 
Demytko  are  vulnerable  to  low  exponent  attacks  (cf.  §8. 2.2(h));  Pinch  [977]  demonstrated 
that  the  attack  on  RSA  with  small  decryption  exponent  d (§8.2.2(iv))  also  extends  to  these 
schemes.  Kaliski  [649]  presented  a chosen-ciphertext  attack  on  the  Demytko  encryption 
scheme  (and  also  a chosen-message  attack  on  the  corresponding  signature  scheme),  and 
concluded  that  the  present  benefits  of  elliptic  curve  cryptosystems  based  on  a composite 
modulus  do  not  seem  significant. 

The  Rabin  public-key  encryption  scheme  (Algorithm  8.11)  was  proposed  in  1979  by  Ra- 
bin [1023].  In  Rabin’s  paper,  the  encryption  function  was  defined  to  be  E(m)  = m(m  + 
b)  mod  n,  where  b and  n comprise  the  public  key.  The  security  of  this  scheme  is  equiv- 
alent to  the  security  of  the  scheme  described  in  Algorithm  8.11  with  encryption  function 
E(m)  = to2  mod  n.  A related  digital  signature  scheme  is  described  in  §11.3.4.  Schwenk 
and  Eisfeld  [1104]  consider  public -key  encryption  and  signature  schemes  whose  security 
relies  on  the  intractability  of  factoring  polynomials  over  7Ln. 

Williams  [1246]  presented  a public-key  encryption  scheme  similar  in  spirit  to  Rabin's  but 
using  composite  integers  n — pq  with  primes  p = 3 (mod  8)  and  q = 7 (mod  8). 
Williams’  scheme  also  has  the  property  that  breaking  it  (that  is,  recovering  plaintext  from 
some  given  ciphertext)  is  equivalent  to  factoring  n,  but  has  the  advantage  over  Rabin's  sch- 
eme that  there  is  an  easy  procedure  for  identifying  the  intended  message  from  the  four  roots 
of  a quadratic  polynomial.  The  restrictions  on  the  forms  of  the  primes  p and  q were  removed 
later  by  Williams  [1248].  A simpler  and  more  efficient  scheme  also  having  the  properties 
of  provable  security  and  unique  decryption  was  presented  by  Kurosawa,  Ito,  and  Takeuchi 
[720].  As  with  Rabin,  all  these  schemes  are  vulnerable  to  a chosen-ciphertext  attack  (but 
see  Note  8.14). 

It  is  not  the  case  that  all  public-key  encryption  schemes  for  which  the  decryption  problem 
is  provably  as  difficult  as  recovering  the  private  key  from  the  public  key  must  succumb  to 
a chosen-ciphertext  attack.  Goldwasser,  Micali,  and  Rivest  [484]  were  the  first  to  observe 
this,  and  presented  a digital  signature  scheme  provably  secure  against  an  adaptive  chosen- 
ciphertext  attack  (see  §11.6.4).  Naor  and  Yung  [921]  proposed  the  first  concrete  public-key 
encryption  scheme  that  is  semantically  secure  against  indifferent  chosen-ciphertext  attack. 
The  Naor- Yung  scheme  uses  two  independent  keys  of  a probabilistic  public-encryption  sch- 
eme that  is  secure  against  a passive  adversary  (for  example,  the  Goldwasser-Micali  scheme 
of  Algorithm  8.51)  to  encrypt  the  plaintext,  and  then  both  encryptions  are  sent  along  with 
a non-interactive  zero-knowledge  proof  that  the  same  message  was  encrypted  with  both 
keys.  Following  this  work,  Rackoff  and  Simon  [1029]  gave  the  first  concrete  construction 
for  a public-key  encryption  scheme  that  is  semantically  secure  against  an  adaptive  chosen- 
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ciphertext  attack.  Unfortunately,  these  schemes  are  all  impractical  because  of  the  degree  of 
message  expansion. 

Damgard  [297]  proposed  simple  and  efficient  methods  for  making  public-key  encryption 
schemes  secure  against  indifferent  chosen-ciphertext  attacks.  Zheng  and  Seberry  [1269] 
noted  that  Damgard’s  schemes  are  insecure  against  an  adaptive  chosen-ciphertext  attack, 
and  proposed  three  practical  schemes  intended  to  resist  such  an  attack.  The  Damgard  and 
Zheng-Seberry  schemes  were  not  proven  to  achieve  their  claimed  levels  of  security.  Bel- 
lare  and  Rogaway  [93]  later  proved  that  one  of  the  Zheng-Seberry  schemes  is  provably  se- 
cure against  adaptive  chosen-ciphertext  attacks  for  their  random  oracle  model.  Lim  and 
Lee  [766]  proposed  another  method  for  making  public-key  schemes  secure  against  adap- 
tive chosen-ciphertext  attacks;  this  scheme  was  broken  by  Frankel  and  Yung  [419]. 

The  ElGamal  cryptosystem  was  invented  by  ElGamal  [368].  Haber  and  Lenstra  (see  Ruep- 
pel  et  al.  [1083])  raised  the  possibility  of  a trapdoor  in  discrete  logarithm  cryptosystems 
whereby  a modulus  p is  generated  (e.g.,  by  a hardware  manufacturer)  that  is  intentionally 
“weak”;  cf.  Note  4.58.  Here,  a “weak”  prime  pis  one  for  which  the  discrete  logarithm  prob- 
lem in  Z*  is  relatively  easy.  For  example,  p — 1 may  contain  only  small  prime  factors,  in 
which  case  the  Pohlig-Hellman  algorithm  (§3.6.4)  would  be  especially  effective.  Another 
example  is  a prime  p for  which  the  number  field  sieve  for  discrete  logarithms  (page  128)  is 
especially  well-suited.  However,  Gordon  [509]  subsequently  showed  how  such  trapdoors 
can  be  easily  detected.  Gordon  also  showed  that  the  probability  of  a randomly  chosen  prime 
possessing  such  a trapdoor  is  negligibly  small. 

Rivest  and  Sherman  [1061]  gave  an  overview  and  unified  framework  for  randomized  en- 
cryption, including  comments  on  chosen-plaintext  and  chosen-ciphertext  attacks. 

Elliptic  curves  were  first  proposed  for  use  in  public-key  cryptography  by  Koblitz  [695]  and 
Miller  [878].  Recent  work  on  the  security  and  implementation  of  elliptic  curve  systems 
is  reported  by  Menezes  [840].  Menezes,  Okamoto,  and  Vanstone  [843]  showed  that  if  the 
elliptic  curve  belongs  to  a special  family  called  supersingular  curves,  then  the  discrete  log- 
arithm problem  in  the  elliptic  curve  group  can  be  reduced  in  expected  polynomial  time  to 
the  discrete  logarithm  problem  in  a small  extension  of  the  underlying  finite  field.  Hence,  if 
a supersingular  elliptic  curve  is  desired  in  practice,  then  it  should  be  carefully  chosen. 

A modification  of  ElGamal  encryption  employing  the  group  of  units  Z* , where  n is  a com- 
posite integer,  was  proposed  by  McCurley  [825];  the  scheme  has  the  property  that  breaking 
it  is  provably  at  least  as  difficult  as  factoring  the  modulus  n (cf.  Fact  3.80).  If  a cryptanalyst 
somehow  learns  the  factors  of  n,  then  in  order  to  recover  plaintext  from  ciphertext  it  is  still 
left  with  the  task  of  solving  the  Diffie-Hellman  problem  (§3.7)  modulo  the  factors  of  n. 

Hyperelliptic  curve  cryptosystems  were  proposed  by  Koblitz  [696]  but  little  research  has 
since  been  done  regarding  their  security  and  practicality. 

The  possibility  of  using  the  class  group  of  an  imaginary  quadratic  number  field  in  public- 
key  cryptography  was  suggested  by  Buchmann  and  Williams  [218],  however,  the  attrac- 
tiveness of  this  choice  was  greatly  diminished  after  the  invention  of  a subexponential-time 
algorithm  for  computing  discrete  logarithms  in  these  groups  by  McCurley  [826]. 

Smith  and  Skinner  [1162]  proposed  analogues  of  the  Diffie-Hellman  key  exchange  (called 
LUCDIF)  and  ElGamal  encryption  and  digital  signature  schemes  (called  LUCELG)  which 
use  Lucas  sequences  modulo  a prime  p instead  of  modular  exponentiation.  Shortly  there- 
after, Laih,  Tu,  and  Tai  [733]  and  Bleichenbacher,  Bosma,  and  Lenstra  [154]  showed  that 
the  analogue  of  the  discrete  logarithm  problem  for  Lucas  functions  polytime  reduces  to  the 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§8.8  Notes  and  further  references 


317 


discrete  logarithm  problem  in  the  multiplicative  group  of  the  finite  field  Fp2 . Since  there 
are  subexponential-time  algorithms  known  for  the  discrete  logarithm  problem  in  these  fields 
(cf.  §3.6),  LUCDIF  and  LUCELG  appear  not  to  offer  any  advantages  over  the  original  sch- 
emes. 

The  McEliece  encryption  scheme  (Algorithm  8.30)  was  introduced  in  1978  by  McEliece 
[828].  For  information  on  Goppa  codes  and  their  decoding  algorithms,  see  Mac  Williams 
and  Sloane  [778].  The  problem  of  decoding  an  arbitrary  linear  code  was  shown  to  be  NP- 
hard  by  Berlekamp,  McEliece,  and  vanTilborg  [120].  The  security  of  the  McEliece  scheme 
has  been  studied  by  Adams  and  Meijer  [6],  Lee  and  Brickell  [742],  van  Tilburg  [1212],  Gib- 
son [451],  and  by  Chabaud  [235].  Gibson  showed  that  there  are,  in  fact,  many  trapdoors  to 
a given  McEliece  encryption  transformation,  any  of  which  may  be  used  for  decryption;  this 
is  contrary  to  the  results  of  Adams  and  Meijer.  However,  Gibson  notes  that  there  are  proba- 
bly sufficiently  few  trapdoors  that  finding  one  by  brute  force  is  computationally  infeasible. 
The  cryptanalytic  attack  reported  by  Korzhik  and  Turkin  [707]  has  not  been  published  in 
its  entirety,  and  is  not  believed  to  be  an  effective  attack. 

The  strength  of  the  McEliece  encryption  scheme  can  be  severely  weakened  if  the  Goppa 
code  is  replaced  with  another  type  of  error-correcting  code.  For  example,  Gabidulin,  Para- 
monov,  and  Tretjakov  [435]  proposed  a modification  which  uses  maximum-rank-distance 
(MRD)  codes  in  place  of  Goppa  codes.  This  scheme,  and  a modification  of  it  by  Gabidulin 
[434],  were  subsequently  shown  to  be  insecure  by  Gibson  [452,  453]. 

The  basic  and  multiple-iterated  Merkle-Hellman  knapsack  encryption  schemes  (§8.6.1)  we- 
re introduced  by  Merkle  and  Heilman  [857] . An  elementary  overview  of  knapsack  systems 
is  given  by  Odlyzko  [941]. 

The  first  polynomial-time  attack  on  the  basic  Merkle-Hellman  scheme  (cf.  Note  8.40(i))  was 
devised  by  Shamir  [1114]  in  1982.  The  attack  makes  use  of  H.  Lenstra’s  algorithm  for  inte- 
ger programming  which  runs  in  polynomial  time  when  the  number  of  variables  is  fixed,  but 
is  inefficient  in  practice.  Lagarias  [723]  improved  the  practicality  of  the  attack  by  reducing 
the  main  portion  of  the  procedure  to  a problem  of  finding  an  unusually  good  simultane- 
ous diophantine  approximation;  the  latter  can  be  solved  by  the  more  efficient  i3-lattice  ba- 
sis reduction  algorithm  (§3.10.1).  The  first  attack  on  the  multiple-iterated  Merkle-Hellman 
scheme  was  by  Brickell  [200].  For  surveys  of  the  cryptanalysis  of  knapsack  schemes,  see 
Brickell  [201]  and  Brickell  and  Odlyzko  [209].  Orton  [960]  proposed  a modification  to  the 
multiple-iterated  Merkle-Hellman  scheme  that  permits  a knapsack  density  approaching  1, 
thus  avoiding  currently  known  attacks.  The  high  density  also  allows  for  a fast  digital  sig- 
nature scheme. 

Shamir  [1109]  proposed  a fast  signature  scheme  based  on  the  knapsack  problem,  later  bro- 
ken by  Odlyzko  [939]  using  the  L3-lattice  basis  reduction  algorithm. 

The  Merkle-Hellman  knapsack  scheme  illustrates  the  limitations  of  using  an  NP-complete 
problem  to  design  a secure  public-key  encryption  scheme.  Firstly,  Brassard  [190]  showed 
that  under  reasonable  assumptions,  the  problem  faced  by  the  cryptanalyst  cannot  be  NP- 
hard  unless  NP=co-NP,  which  would  be  a very  surprising  result  in  computational  complex- 
ity theory.  Secondly,  complexity  theory  is  concerned  primarily  with  asymptotic  complex- 
ity of  a problem.  By  contrast,  in  practice  one  works  with  a problem  instance  of  a fixed  size. 
Thirdly,  NP-completeness  is  a measure  of  the  worst-case  complexity  of  a problem.  By  con- 
trast, cryptographic  security  should  depend  on  the  average-case  complexity  of  the  problem 
(or  even  better,  the  problem  should  be  intractable  for  essentially  all  instances),  since  the 
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cryptanalyst’s  task  should  be  hard  for  virtually  all  instances  and  not  merely  in  the  worst  case. 
There  are  many  NP-complete  problems  that  are  known  to  have  polynomial-time  average- 
case  algorithms,  for  example,  the  graph  coloring  problem;  see  Wilf  [1243].  Another  inter- 
esting example  is  provided  by  Even  and  Yacobi  [379]  who  describe  a symmetric-key  en- 
cryption scheme  based  on  the  subset  sum  problem  for  which  breaking  the  scheme  (under  a 
chosen-plaintext  attack)  is  an  NP-hard  problem,  yet  an  algorithm  exists  which  solves  most 
instances  in  polynomial  time. 

The  Chor-Rivest  knapsack  scheme  (Algorithm  8.42)  was  proposed  by  Chor  and  Rivest 
[261].  Recently,  Schnorr  and  Horner  [1100]  introduced  new  algorithms  for  lattice  ba- 
sis reduction  that  are  improvements  on  the  T3- lattice  basis  reduction  algorithm  (Algo- 
rithm 3.101),  and  used  these  to  break  the  Chor-Rivest  scheme  with  parameters  {p  = 
103,  h = 12}.  Since  the  density  of  such  knapsack  sets  is  1.271,  the  attack  demonstrated 
that  subset  sum  problems  with  density  greater  than  1 can  be  solved  via  lattice  basis  re- 
duction. Schnorr  and  Horner  also  reported  some  success  solving  Chor-Rivest  subset  sum 
problems  with  parameters  {p  = 151,  Ti.  = 16}.  It  remains  to  be  seen  whether  the  tech- 
niques of  Schnorr  and  Horner  can  be  successfully  applied  to  the  recommended  parameter 
case  {p  = 197,  h = 24}. 

Depending  on  the  choice  of  parameters,  the  computation  of  discrete  logarithms  in  the  Chor- 
Rivest  key  generation  stage  (step  4 of  Algorithm  8.41)  may  be  a formidable  task.  A mod- 
ified version  of  the  scheme  which  does  not  require  the  computation  of  discrete  logarithms 
in  a field  was  proposed  by  H.  Lenstra  [758].  This  modified  scheme  is  called  the  powerline 
system  and  is  not  a knapsack  system.  It  was  proven  to  be  at  least  as  secure  as  the  original 
Chor-Rivest  scheme,  and  is  comparable  in  terms  of  encryption  and  decryption  speeds. 

Qu  and  Vanstone  [1013]  showed  how  the  Merkle-Hellman  knapsack  schemes  can  be  viewed 
as  special  cases  of  certain  knapsack-like  encryption  schemes  arising  from  subset  factoriza- 
tions of  finite  groups.  They  also  proposed  an  efficient  public-key  encryption  scheme  based 
on  subset  factorizations  of  the  additive  group  Z„  of  integers  modulo  n.  Blackburn,  Mur- 
phy, and  Stern  [143]  showed  that  a simplified  variant  which  uses  subset  factorizations  of 
the  n-dimensional  vector  space  ZJ,1  over  Z2  is  insecure. 

The  notion  of  probabilistic  public-key  encryption  was  conceived  by  Goldwasser  and  Micali 
[479],  who  also  introduced  the  notions  of  polynomial  and  semantic  security.  The  equiva- 
lence of  these  two  notions  (Fact  8.49)  was  proven  by  Goldwasser  and  Micali  [479]  and  Mi- 
cali, Rackoff,  and  Sloan  [865].  Polynomial  security  was  also  studied  by  Yao  [1258],  who 
referred  to  it  as  polynomial-time  indistinguishability. 

The  Goldwasser-Micali  scheme  (Algorithm  8.51)  can  be  described  in  a general  setting  by 
using  the  notion  of  a trapdoor  predicate.  Briefly,  a trapdoor  predicate  is  a Boolean  function 
B : (0, 1}*  — > {0, 1}  such  that  given  a bit  v it  is  easy  to  choose  an  x at  random  satisfy- 
ing B(x)  = v.  Moreover,  given  a bitstring  x,  computing  B(x)  correctly  with  probability 
significantly  greater  than  } is  difficult;  however,  if  certain  trapdoor  information  is  known, 
then  it  is  easy  to  compute  B(x).  If  entity  ,4’s  public  key  is  a trapdoor  predicate  B,  then  any 
other  entity  encrypts  a message  bit  ro,;  by  randomly  selecting  an  x*  such  that  Blxi)  = to*, 
and  then  sends  x,  to  A.  Since  A knows  the  trapdoor  information,  she  can  compute  _B(xj)  to 
recover  to*,  but  an  adversary  can  do  no  better  than  guess  the  value  of  rri,.  Goldwasser  and 
Micali  [479]  proved  that  if  trapdoor  predicates  exist,  then  this  probabilistic  encryption  sch- 
eme is  polynomially  secure.  Goldreich  and  Levin  [471]  simplified  the  work  of  Yao  [1258], 
and  showed  how  any  trapdoor  length-preserving  permutation  / can  be  used  to  obtain  a trap- 
door predicate,  which  in  turn  can  be  used  to  construct  a probabilistic  public-key  encryption 
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scheme. 

The  Blum-Goldwasser  scheme  (Algorithm  8.56)  was  proposed  by  Blum  and  Goldwasser 
[164].  The  version  given  here  follows  the  presentation  of  Brassard  [192].  Two  probabilis- 
tic public-key  encryption  schemes,  one  whose  breaking  is  equivalent  to  solving  the  RSA 
problem  (§3.3),  and  the  other  whose  breaking  is  equivalent  to  factoring  integers,  were  pro- 
posed by  Alexi  et  al.  [23].  The  scheme  based  on  RSA  is  as  follows.  Let  h = [lglgnj, 
where  (n.  e ) is  entity  A’s  RSA  public  key.  To  encrypt  an  h- bit  message  to  for  A , choose 
a random  y 6 Z*  such  that  the  h least  significant  bits  of  y equal  to,  and  compute  the  ci- 
phertext c = ye  mod  n.  A can  recover  to  by  computing  y = cd  mod  n,  and  extracting  the 
h least  significant  bits  of  y.  While  both  the  schemes  proposed  by  Alexi  et  al.  are  more  ef- 
ficient than  the  Goldwasser-Micali  scheme,  they  suffer  from  large  message  expansion  and 
are  consequently  not  as  efficient  as  the  Blum-Goldwasser  scheme. 

The  idea  of  non-malleable  cryptography  ( Definition  8.60)  was  introduced  by  Dolev,  Dwork, 
and  Naor  [357],  who  also  observed  Fact  8.61.  The  paper  gives  the  example  of  two  con- 
tract bidders  who  encrypt  their  bids.  It  should  not  be  possible  for  one  bidder  A to  see  the 
encrypted  bid  of  the  other  bidder  B and  somehow  be  able  to  offer  a bid  that  was  slightly 
lower,  even  if  A may  not  know  what  the  resulting  bid  actually  is  at  that  time.  Bellare  and 
Rogaway  [95]  introduced  the  notion  of  plaintext-aware  encryption  (Definition  8.62).  They 
presented  the  scheme  described  in  Note  8.63,  building  upon  earlier  work  of  Johnson  et  al. 
[639].  Rigorous  definitions  and  security  proofs  were  provided,  as  well  as  a concrete  instan- 
tiation of  the  plaintext-aware  encryption  scheme  using  RSA  as  the  trapdoor  permutation, 
and  constructing  the  random  functions  G and  H from  the  SHA-1  hash  function  ( §9.4.2(iii)). 
Johnson  and  Matyas  [640]  presented  some  enhancements  to  the  plaintext-aware  encryption 
scheme.  Bellare  and  Rogaway  [93]  presented  various  techniques  for  deriving  appropriate 
random  functions  from  standard  cryptographic  hash  functions. 
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9.1  Introduction 

Cryptographic  hash  functions  play  a fundamental  role  in  modern  cryptography.  While  re- 
lated to  conventional  hash  functions  commonly  used  in  non-cryptographic  computer  appli- 
cations - in  both  cases,  larger  domains  are  mapped  to  smaller  ranges  - they  differ  in  several 
important  aspects.  Our  focus  is  restricted  to  cryptographic  hash  functions  ( hereafter,  simply 
hash  functions),  and  in  particular  to  their  use  for  data  integrity  and  message  authentication. 

Hash  functions  take  a message  as  input  and  produce  an  output  referred  to  as  a hash- 
code,  hash-result,  hash-value,  or  simply  hash.  More  precisely,  a hash  function  h maps  bit- 
strings  of  arbitrary  finite  length  to  strings  of  fixed  length,  say  n bits.  For  a domain  D and 
range  R with  h : D — > R and  \D\  > /i|,  the  function  is  many-to-one,  implying  that  the  exis- 
tence of  collisions  (pairs  of  inputs  with  identical  output)  is  unavoidable.  Indeed,  restricting 
h to  a domain  of  f-bit  inputs  (t  > n),  if  h were  “random”  in  the  sense  that  all  outputs  were 
essentially  equiprobable,  then  about  2‘  " inputs  would  map  to  each  output,  and  two  ran- 
domly chosen  inputs  would  yield  the  same  output  with  probability  2 " (independent  of  t). 
The  basic  idea  of  cryptographic  hash  functions  is  that  a hash-value  serves  as  a compact  rep- 
resentative image  (sometimes  called  an  imprint,  digital  fingerprint,  or  message  digest)  of 
an  input  string,  and  can  be  used  as  if  it  were  uniquely  identifiable  with  that  string. 

Hash  functions  are  used  for  data  integrity  in  conjunction  with  digital  signature  sch- 
emes, where  for  several  reasons  a message  is  typically  hashed  first,  and  then  the  hash-value, 
as  a representative  of  the  message,  is  signed  in  place  of  the  original  message  (see  Chap- 
ter 11).  A distinct  class  of  hash  functions,  called  message  authentication  codes  (MACs), 
allows  message  authentication  by  symmetric  techniques.  MAC  algorithms  may  be  viewed 
as  hash  functions  which  take  two  functionally  distinct  inputs,  a message  and  a secret  key, 
and  produce  a fixed-size  (say  /(-hit)  output,  with  the  design  intent  that  it  be  infeasible  in 
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practice  to  produce  the  same  output  without  knowledge  of  the  key.  MACs  can  be  used  to 
provide  data  integrity  and  symmetric  data  origin  authentication,  as  well  as  identification  in 
symmetric-key  schemes  (see  Chapter  10). 

A typical  usage  of  (unkeyed)  hash  functions  for  data  integrity  is  as  follows.  The  hash- 
value  corresponding  to  a particular  message  x is  computed  at  time  Tj.  The  integrity  of  this 
hash-value  (but  not  the  message  itself)  is  protected  in  some  manner.  At  a subsequent  time 
T2,  the  following  test  is  carried  out  to  determine  whether  the  message  has  been  altered,  i.e., 
whether  a message  x'  is  the  same  as  the  original  message.  The  hash-value  of  x ’ is  computed 
and  compared  to  the  protected  hash-value;  if  they  are  equal,  one  accepts  that  the  inputs  are 
also  equal,  and  thus  that  the  message  has  not  been  altered.  The  problem  of  preserving  the 
integrity  of  a potentially  large  message  is  thus  reduced  to  that  of  a small  fixed-size  hash- 
value.  Since  the  existence  of  collisions  is  guaranteed  in  many-to-one  mappings,  the  unique 
association  between  inputs  and  hash-values  can,  at  best,  be  in  the  computational  sense.  A 
hash-value  should  be  uniquely  identifiable  with  a single  input  in  practice , and  collisions 
should  be  computationally  difficult  to  find  (essentially  never  occurring  in  practice). 


Chapter  outline 

The  remainder  of  this  chapter  is  organized  as  follows.  §9.2  provides  a framework  including 
standard  definitions,  a discussion  of  the  desirable  properties  of  hash  functions  and  MACs, 
and  consideration  of  one-way  functions.  §9.3  presents  a general  model  for  iterated  hash 
functions,  some  general  construction  techniques,  and  a discussion  of  security  objectives 
and  basic  attacks  (i.e.,  strategies  an  adversary  may  pursue  to  defeat  the  objectives  of  a hash 
function).  §9.4  considers  hash  functions  based  on  block  ciphers,  and  a family  of  functions 
based  on  the  MD4  algorithm.  §9.5  considers  MACs,  including  those  based  on  block  ciphers 
and  customized  MACs.  §9.6  examines  various  methods  of  using  hash  functions  to  provide 
data  integrity.  §9.7  presents  advanced  attack  methods.  §9.8  provides  chapter  notes  with 
references. 
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9.2.1  General  classification 

At  the  highest  level,  hash  functions  may  be  split  into  two  classes:  unkeyed  hash  functions, 
whose  specification  dictates  a single  input  parameter  (a  message);  and  keyed  hash  functions, 
whose  specification  dictates  two  distinct  inputs,  a message  and  a secret  key.  To  facilitate 
discussion,  a hash  function  is  informally  defined  as  follows. 

9.1  Definition  A hash  function  (in  the  unrestricted  sense)  is  a function  h which  has,  as  a min- 
imum, the  following  two  properties: 

1.  compression  — h maps  an  input  x of  arbitrary  finite  bitlength,  to  an  output  h(x)  of 
fixed  bitlength  n. 

2.  ease  of  computation  — given  h and  an  input  x,  h(x)  is  easy  to  compute. 
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As  defined  here,  hash  function  implies  an  unkeyed  hash  function.  On  occasion  when 
discussion  is  at  a generic  level,  this  term  is  abused  somewhat  to  mean  both  unkeyed  and 
keyed  hash  functions;  hopefully  ambiguity  is  limited  by  context. 

For  actual  use,  a more  goal-oriented  classification  of  hash  functions  (beyond  keyed  vs. 
unkeyed ) is  necessary,  based  on  further  properties  they  provide  and  reflecting  requirements 
of  specific  applications.  Of  the  numerous  categories  in  such  a functional  classification,  two 
types  of  hash  functions  are  considered  in  detail  in  this  chapter: 

1.  modification  detection  codes  (MDCs) 

Also  known  as  manipulation  detection  codes,  and  less  commonly  as  message  integri- 
ty codes  (MICs),  the  purpose  of  an  MDC  is  (informally)  to  provide  a representative 
image  or  hash  of  a message,  satisfying  additional  properties  as  refined  below.  The 
end  goal  is  to  facilitate,  in  conjunction  with  additional  mechanisms  (see  §9.6.4),  data 
integrity  assurances  as  required  by  specific  applications.  MDCs  are  a subclass  of  un- 
keyed hash  functions,  and  themselves  may  be  further  classified;  the  specific  classes 
of  MDCs  of  primary  focus  in  this  chapter  are  (cf.  Definitions  9.3  and  9.4); 

(i)  one-way  hash  functions  (OWHFs):  for  these,  finding  an  input  which  hashes  to 
a pre-specified  hash-value  is  difficult; 

(ii)  collision  resistant  hash  functions  (CRHFs):  for  these,  finding  any  two  inputs 
having  the  same  hash-value  is  difficult. 

2.  message  authentication  codes  (MACs) 

The  purpose  of  a MAC  is  (informally)  to  facilitate,  without  the  use  of  any  additional 
mechanisms,  assurances  regarding  both  the  source  of  a message  and  its  integrity  (see 
§9.6.3).  MACs  have  two  functionally  distinct  parameters,  a message  input  and  a se- 
cret key;  they  are  a subclass  of  keyed  hash  functions  (cf.  Definition  9.7). 

Figure  9.1  illustrates  this  simplified  classification.  Additional  applications  of  unkeyed 
hash  functions  are  noted  in  §9.2.6.  Additional  applications  of  keyed  hash  functions  in- 
clude use  in  challenge-response  identification  protocols  for  computing  responses  which  are 
a function  of  both  a secret  key  and  a challenge  message;  and  for  key  confirmation  (Defini- 
tion 12.7).  Distinction  should  be  made  between  a MAC  algorithm,  and  the  use  of  an  MDC 
with  a secret  key  included  as  part  of  its  message  input  (see  §9.5.2). 

It  is  generally  assumed  that  the  algorithmic  specification  of  a hash  function  is  public 
knowledge.  Thus  in  the  case  of  MDCs,  given  a message  as  input,  anyone  may  compute  the 
hash-result;  and  in  the  case  of  MACs,  given  a message  as  input,  anyone  with  knowledge  of 
the  key  may  compute  the  hash-result. 


9.2.2  Basic  properties  and  definitions 

To  facilitate  further  definitions,  three  potential  properties  are  listed  (in  addition  to  ease  of 
computation  and  compression  as  per  Definition  9.1),  for  an  unkeyed  hash  function  h with 
inputs  x,  x'  and  outputs  y,  y' . 

1.  preimage  resistance  — for  essentially  all  pre-specified  outputs,  it  is  computationally 
infeasible  to  find  any  input  which  hashes  to  that  output,  i.e.,  to  find  any  preimage  x' 
such  that  h{x')  — y when  given  any  y for  which  a corresponding  input  is  not  known. 1 

2.  2nd-preimage  resistance  — it  is  computationally  infeasible  to  find  any  second  input 
which  has  the  same  output  as  any  specified  input,  i.e.,  given  x,  to  find  a 2nd-preimage 
x'  f x such  that  h(x)  = h(x'). 

1This  acknowledges  that  an  adversary  may  easily  precompute  outputs  for  any  small  set  of  inputs,  and  thereby 
invert  the  hash  function  trivially  for  such  outputs  (cf.  Remark  9.35). 
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Figure  9.1 : Simplified  classification  of  cryptographic  hash  functions  and  applications. 


3.  collision  resistance  — it  is  computationally  infeasible  to  find  any  two  distinct  inputs 
x , x'  which  hash  to  the  same  output,  i.e.,  such  that  h(x)  = h(x').  (Note  that  here 
there  is  free  choice  of  both  inputs.) 

Here  and  elsewhere,  the  terms  “easy”  and  “computationally  infeasible”  (or  “hard”)  are 
intentionally  left  without  formal  definition;  it  is  intended  they  be  interpreted  relative  to  an 
understood  frame  of  reference.  “Easy”  might  mean  polynomial  time  and  space;  or  more 
practically,  within  a certain  number  of  machine  operations  or  time  units  - perhaps  seconds 
or  milliseconds.  A more  specific  definition  of  “computationally  infeasible”  might  involve 
super-polynomial  effort;  require  effort  far  exceeding  understood  resources;  specify  a lower 
bound  on  the  number  of  operations  or  memory  required  in  terms  of  a specified  security  pa- 
rameter; or  specify  the  probability  that  a property  is  violated  be  exponentially  small.  The 
properties  as  defined  above,  however,  suffice  to  allow  practical  definitions  such  as  Defini- 
tions 9.3  and  9.4  below. 

9.2  Note  ( alternate  terminology ) Alternate  terms  used  in  the  literature  are  as  follows:  preim- 
age resistant  = one-way  (cf.  Definition  9.9);  2nd-preimage  resistance  = weak  collision  re- 
sistance', collision  resistance  = strong  collision  resistance. 

For  context,  one  motivation  for  each  of  the  three  major  properties  above  is  now  given. 
Consider  a digital  signature  scheme  wherein  the  signature  is  applied  to  the  hash-value  h(x) 
rather  than  the  message  x.  Here  h should  be  an  MDC  with  2nd-preimage  resistance,  oth- 
erwise, an  adversary  C may  observe  the  signature  of  some  party  A on  h(x),  then  find  an 
x'  such  that  h (x)  = h(x'),  and  claim  that  A has  signed  . If  C is  able  to  actually  choose 
the  message  which  A signs,  then  C need  only  find  a collision  pair  (x,  x' ) rather  than  the 
harder  task  of  finding  a second  preimage  of  x\  in  this  case,  collision  resistance  is  also  nec- 
essary (cf.  Remark  9.93).  Less  obvious  is  the  requirement  of  preimage  resistance  for  some 
public-key  signature  schemes;  consider  RSA  (Chapter  11),  where  party  A has  public  key 
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(e,n).  C may  choose  a random  value  y,  compute  z = ye  mod  n,  and  (depending  on  the 
particular  RSA  signature  verification  process  used)  claim  that  y is  A’s  signature  on  z.  This 
(existential)  forgery  may  be  of  concern  if  C can  find  a preimage  x such  that  h(x)  = z,  and 
for  which  x is  of  practical  use. 

9.3  Definition  A one-way  hash  function  (OWHF)  is  a hash  function  h as  per  Definition  9.1 
(i.e.,  offering  ease  of  computation  and  compression)  with  the  following  additional  proper- 
ties, as  defined  above:  preimage  resistance,  2nd-preimage  resistance. 

9.4  Definition  A collision  resistant  hash  function  (CRHF)  is  a hash  function  h as  per  Defini- 
tion 9.1  (i.e.,  offering  ease  of  computation  and  compression)  with  the  following  additional 
properties,  as  defined  above:  2nd-preimage  resistance,  collision  resistance  (cf.  Fact  9.18). 

Although  in  practice  a CRFIF  almost  always  has  the  additional  property  of  preimage  re- 
sistance, for  technical  reasons  (cf.  Note  9.20)  this  property  is  not  mandated  in  Definition  9.4. 

9.5  Note  ( alternate  terminology  for  OWHF,  CRHF)  Alternate  terms  used  in  the  literature  are 
as  follows:  OWHF  = weak  one-way  hash  function  (but  here  preimage  resistance  is  often 
not  explicitly  considered);  CRHF  = strong  one-way  hash  function. 

9.6  Example  (hash  function  properties ) 

(i)  A simple  modulo-32  checksum  (32-bit  sum  of  all  32-bit  words  of  a data  string)  is  an 
easily  computed  function  which  offers  compression,  but  is  not  preimage  resistant. 

(ii)  The  function  g(x)  of  Example  9.11  is  preimage  resistant  but  provides  neither  com- 
pression nor  2nd-preimage  resistance. 

(iii)  Example  9.13  presents  a function  with  preimage  resistance  and  2nd-preimage  resis- 
tance (but  not  compression).  □ 

9.7  Definition  A message  authentication  code  (MAC)  algorithm  is  a family  of  functions  hf. 
parameterized  by  a secret  key  k , with  the  following  properties: 

1.  ease  of  computation  — for  a known  function  hi,.,  given  a value  k and  an  input  x, 
hf.  ( x ) is  easy  to  compute.  This  result  is  called  the  MAC-value  or  MAC. 

2.  compression  — h maps  an  input  x of  arbitrary  finite  bitlength  to  an  output  ( x ) of 

fixed  bitlength  n. 

Furthermore,  given  a description  of  the  function  family  h,  for  every  fixed  allowable 
value  of  k (unknown  to  an  adversary),  the  following  property  holds: 

3.  computation-resistance — given  zero  or  more  text-MAC  pairs  (x* , (x* ) ) , it  is  com- 

putationally infeasible  to  compute  any  text-MAC  pair  (x,  hf.(x))  for  any  new  input 
x f xi  (including  possibly  for  hk(x)  = /ifc(xj)  for  some  i). 

If  computation-resistance  does  not  hold,  a MAC  algorithm  is  subject  to  MAC  forgery.  While 
computation-resistance  implies  the  property  of  key  non-recovery  (it  must  be  computation- 
ally infeasible  to  recover  k,  given  one  or  more  text-MAC  pairs  (x*,  h.fc(xj))  for  that  k),  key 
non-recovery  does  not  imply  computation-resistance  (a  key  need  not  always  actually  be  re- 
covered to  forge  new  MACs). 

9.8  Remark  (MAC  resistance  when  key  known ) Definition  9.7  does  not  dictate  whether  MACs 
need  be  preimage-  and  collision  resistant  for  parties  knowing  the  key  k (as  Fact  9.2 1 implies 
for  parties  without  k). 
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(i)  Objectives  of  adversaries  vs.  MDCs 

The  objective  of  an  adversary  who  wishes  to  “attack”  an  MDC  is  as  follows: 

(a)  to  attack  a OWHF:  given  a hash-value  y,  find  a preimage  x such  that  y = h{ x);  or 
given  one  such  pair  (x,  h(x)),  find  a second  preimage  x'  such  that  h(x')  = h(x). 

(b)  to  attack  a CRHF:  find  any  two  inputs  x,  x',  such  that  h(x')  = h(x). 

A CRFIF  must  be  designed  to  withstand  standard  birthday  attacks  (see  Fact  9.33). 

(ii)  Objectives  of  adversaries  vs.  MACs 

The  corresponding  objective  of  an  adversary  for  a MAC  algorithm  is  as  follows: 

(c)  to  attack  a MAC:  without  prior  knowledge  of  a key  k , compute  a new  text-MAC  pair 
(x,  /ifc(x))  for  some  text  x x*,  given  one  or  more  pairs  (x*,  /ifc(xj)). 

Computation-resistance  here  should  hold  whether  the  texts  x,  for  which  matching  MACs 
are  available  are  given  to  the  adversary,  or  may  be  freely  chosen  by  the  adversary.  Similar 
to  the  situation  for  signature  schemes,  the  following  attack  scenarios  thus  exist  for  MACs, 
for  adversaries  with  increasing  advantages: 

1.  known-text  attack.  One  or  more  text-MAC  pairs  (x*,  /ifc(xj))  are  available. 

2.  chosen-text  attack.  One  or  more  text-MAC  pairs  (x£,/ifc(xj))  are  available  for  x* 
chosen  by  the  adversary. 

3.  adaptive  chosen-text  attack.  The  x*  may  be  chosen  by  the  adversary  as  above,  now 
allowing  successive  choices  to  be  based  on  the  results  of  prior  queries. 

Asa  certificational  checkpoint,  MACs  should  withstand  adaptive  chosen-text  attack  regard- 
less of  whether  such  an  attack  may  actually  be  mounted  in  a particular  environment.  Some 
practical  applications  may  limit  the  number  of  interactions  allowed  over  a fixed  period  of 
time,  or  may  be  designed  so  as  to  compute  MACs  only  for  inputs  created  within  the  appli- 
cation itself;  others  may  allow  access  to  an  unlimited  number  of  text-MAC  pairs,  or  allow 
MAC  verification  of  an  unlimited  number  of  messages  and  accept  any  with  a correct  MAC 
for  further  processing. 

(iii)  Types  of  forgery  (selective,  existential) 

When  MAC  forgery  is  possible  (implying  the  MAC  algorithm  has  been  technically  de- 
feated), the  severity  of  the  practical  consequences  may  differ  depending  on  the  degree  of 
control  an  adversary  has  over  the  value  x for  which  a MAC  may  be  forged.  This  degree  is 
differentiated  by  the  following  classification  of  forgeries: 

1.  selective  forgery  - attacks  whereby  an  adversary  is  able  to  produce  a new  text-MAC 
pair  for  a text  of  his  choice  (or  perhaps  partially  under  his  control).  Note  that  here  the 
selected  value  is  the  text  for  which  a MAC  is  forged,  whereas  in  a chosen-text  attack 
the  chosen  value  is  the  text  of  a text-MAC  pair  used  for  analytical  purposes  (e.g.,  to 
forge  a MAC  on  a distinct  text). 

2.  existential  forgery  - attacks  whereby  an  adversary  is  able  to  produce  a new  text-MAC 
pair,  but  with  no  control  over  the  value  of  that  text. 

Key  recovery  of  the  MAC  key  itself  is  the  most  damaging  attack,  and  trivially  allows  se- 
lective forgery.  MAC  forgery  allows  an  adversary  to  have  a forged  text  accepted  as  authen- 
tic. The  consequences  may  be  severe  even  in  the  existential  case.  A classic  example  is  the 
replacement  of  a monetary  amount  known  to  be  small  by  a number  randomly  distributed 
between  0 and  232  — 1.  For  this  reason,  messages  whose  integrity  or  authenticity  is  to  be 
verified  are  often  constrained  to  have  pre-determined  structure  or  a high  degree  of  verifiable 
redundancy,  in  an  attempt  to  preclude  meaningful  attacks. 
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Analogously  to  MACs,  attacks  on  MDC  schemes  (primarily  2nd-preimage  and  colli- 
sion attacks)  may  be  classified  as  selective  or  existential.  If  the  message  can  be  partially 
controlled,  then  the  attack  may  be  classified  as  partially  selective  (e.g.,  see  §9.7.1(iii)). 


9.2.3  Hash  properties  required  for  specific  applications 

Because  there  may  be  costs  associated  with  specific  properties  - e.g.,  CRHFs  are  in  gen- 
eral harder  to  construct  than  OWHFs  and  have  hash-values  roughly  twice  the  bitlength  - it 
should  be  understood  which  properties  are  actually  required  for  particular  applications,  and 
why.  Selected  techniques  whereby  hash  functions  are  used  for  data  integrity,  and  the  cor- 
responding properties  required  thereof  by  these  applications,  are  summarized  in  Table  9.1. 

In  general,  an  MDC  should  be  a CRHF  if  an  untrusted  party  has  control  over  the  exact 
content  of  hash  function  inputs  (see  Remark  9.93);  a OWHF  suffices  otherwise,  including 
the  case  where  there  is  only  a single  party  involved  (e.g.,  a store-and-retrieve  application). 
Control  over  precise  format  of  inputs  may  be  eliminated  by  introducing  into  the  message 
randomization  that  is  uncontrollable  by  one  or  both  parties.  Note,  however,  that  data  in- 
tegrity techniques  based  on  a shared  secret  key  typically  involve  mutual  trust  and  do  not 
address  non-repudiation;  in  this  case,  collision  resistance  may  or  may  not  be  a requirement. 


Hash  properties  required  — > 
Integrity  application  4- 

Preimage 

resistant 

2nd- 

preimage 

Collision 

resistant 

Details 

MDC  + asymmetric  signature 

yes 

yes 

yesf 

page  324 

MDC  + authentic  channel 

yes 

yesf 

page  364 

MDC  + symmetric  encryption 

page  365 

hash  for  one-way  password  file 

yes 

page  389 

MAC  ( key  unknown  to  attacker) 

yes 

yes 

yesf 

page  326 

MAC  ( key  known  to  attacker) 

yes} 

page  325 

Table  9. 1 : Resistance  properties  required  for  specified  data  integrity  applications. 
yResistance  required  if  attacker  is  able  to  mount  a chosen  message  attack. 
iResistance  required  in  rare  case  of  multi-cast  authentication  (see  page  378). 


9.2.4  One-way  functions  and  compression  functions 

Related  to  Definition  9.3  of  a OWHF  is  the  following,  which  is  unrestrictive  with  respect 
to  a compression  property. 

9.9  Definition  A one-way  function  (OWF)  is  a function  / such  that  for  each  x in  the  domain  of 
/,  it  is  easy  to  compute  /(x);  but  for  essentially  all  y in  the  range  of  /,  it  is  computationally 
infeasible  to  find  any  x such  that  y = f(x). 

9.10  Remark  (OWF  vs.  domain-restricted  OWHF)  A OWF  as  defined  here  differs  from  a 
OWHF  with  domain  restricted  to  fixed-size  inputs  in  that  Definition  9.9  does  not  require 
2nd-preimage  resistance.  Many  one-way  functions  are,  in  fact,  non-compressing,  in  which 
case  most  image  elements  have  unique  preimages,  and  for  these  2nd-preimage  resistance 
holds  vacuously  - making  the  difference  minor  (but  see  Example  9.11). 
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9.1 1 Example  (one-way  functions  and  modular  squaring)  The  squaring  of  integers  modulo  a 

prime  p,  e.g.,  f(x)  = x2  — 1 mod  p,  behaves  in  many  ways  like  a random  mapping.  How- 
ever, /(x)  is  not  a OWF  because  finding  square  roots  modulo  primes  is  easy  (§3.5.1).  On  the 
other  hand,  g(x)  = x2  mod  n is  a OWF  (Definition  9.9)  for  appropriate  randomly  chosen 
primes  p and  q where  n = pq  and  the  factorization  of  n is  unknown,  as  finding  a preimage 
(i.e.,  computing  a square  root  mod  n)  is  computationally  equivalent  to  factoring  (Fact  3.46) 
and  thus  intractable.  Nonetheless,  finding  a 2nd-preimage,  and,  therefore,  collisions,  is  triv- 
ial (given  x,  — x yields  a collision),  and  thus  g fits  neither  the  definition  of  a OWHF  nor  a 
CRHF  with  domain  restricted  to  fixed-size  inputs.  □ 

9.12  Remark  (candidate  one-way  functions)  There  are,  in  fact,  no  known  instances  of  functions 
which  are  provably  one-way  (with  no  assumptions);  indeed,  despite  known  hash  function 
constructions  which  are  provably  as  secure  as  NP-complete  problems,  there  is  no  assur- 
ance the  latter  are  difficult.  All  instances  of  “one-way  functions”  to  date  should  thus  more 
properly  be  qualified  as  “conjectured”  or  “candidate”  one-way  functions.  (It  thus  remains 
possible,  although  widely  believed  most  unlikely,  that  one-way  functions  do  not  exist.)  A 
proof  of  existence  would  establish  P f NP,  while  non-existence  would  have  devastating 
cryptographic  consequences  (see  page  377),  although  not  directly  implying  P = NP. 

Hash  functions  are  often  used  in  applications  (cf.  §9.2.6)  which  require  the  one-way 
property,  but  not  compression.  It  is,  therefore,  useful  to  distinguish  three  classes  of  func- 
tions (based  on  the  relative  size  of  inputs  and  outputs): 

1.  (general)  hash  functions.  These  are  functions  as  per  Definition  9.1,  typically  with  ad- 
ditional one-way  properties,  which  compress  arbitrary-length  inputs  to  n-bit  outputs. 

2.  compression  functions  (fixed-size  hash  functions).  These  are  functions  as  per  Defi- 
nition 9.1,  typically  with  additional  one-way  properties,  but  with  domain  restricted 
to  fixed-size  inputs  - i.e.,  compressing  m-bit  inputs  to  n-bit  outputs,  m > n. 

3.  non-compressing  one-way  functions.  These  are  fixed-size  hash  functions  as  above, 
except  that  n = m.  These  include  one-way  permutations , and  can  be  more  explicitly 
described  as  computationally  non-invertible  functions. 

9.13  Example  ( DES-based  OWF)  A one-way  function  can  be  constructed  from  DES  or  any 

block  cipher  E which  behaves  essentially  as  a random  function  (see  Remark  9.14),  as  fol- 
lows: /(x)  = i?fc(x)0x,  for  any  fixed  known  key  k.  The  one-way  nature  of  this  construc- 
tion can  be  proven  under  the  assumption  that  E is  a random  permutation.  An  intuitive  ar- 
gument follows.  For  any  choice  of  y , finding  any  x (and  key  k)  such  that  Ey  (x)®x  = y is 
difficult  because  for  any  chosen  x,  Ek(x)  will  be  essentially  random  (for  any  key  k)  and 
thus  so  will  Ef.  (x)®x:  hence,  this  will  equal  y with  no  better  than  random  chance.  By 
similar  reasoning,  if  one  attempts  to  use  decryption  and  chooses  an  x,  the  probability  that 
Ef1(x(By)  = x is  no  better  than  random  chance.  Thus  /(x)  appears  to  be  a OWF.  While 
/(x)  is  not  a OWHF  (it  handles  only  fixed-length  inputs),  it  can  be  extended  to  yield  one 
(see  Algorithm  9.41).  □ 

9.14  Remark  (block  ciphers  and  random  functions)  Regarding  random  functions  and  their 
properties,  see  §2.1 .6.  If  a block  cipher  behaved  as  a random  function,  then  encryption  and 
decryption  would  be  equivalent  to  looking  up  values  in  a large  table  of  random  numbers; 
for  a fixed  input,  the  mapping  from  a key  to  an  output  would  behave  as  a random  mapping. 
However,  block  ciphers  such  as  DES  are  bijections,  and  thus  at  best  exhibit  behavior  more 
like  random  permutations  than  random  functions. 
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9.15  Example  ( one-wayness  w.r.t.  two  inputs)  Consider  f(x,k)  = E).  (x ) , where  E repre- 

sents DES.  This  is  not  a one-way  function  of  the  joint  input  (x,  k),  because  given  any  func- 
tion value  y = /(x,  k),  one  can  choose  any  key  k'  and  compute  x'  = Efi^y)  yielding 
a preimage  (x',  k').  Similarly,  /(x,  k)  is  not  a one-way  function  of  x if  k is  known,  as 
given  y = /(x,  k)  and  k,  decryption  of  y using  k yields  x.  (However,  a “black-box”  which 
computes  /(x,  k)  for  fixed,  externally-unknown  A;  is  a one-way  function  of  x.)  In  contrast, 
/(x,  k)  is  a one-way  function  of  fc;  given  y = /(x,  k ) and  x,  it  is  not  known  how  to  find 
a preimage  k in  less  than  about  255  operations.  (This  latter  concept  is  utilized  in  one-time 
digital  signature  schemes  - see  §11.6.2.)  □ 

9.16  Example  ( OWF  - multiplication  of  large  primes)  For  appropriate  choices  of  primes  p and 
q,  /(p,  q)  = pq  is  a one-way  function:  given  p and  q , computing  n = pq  is  easy,  but  given 
n,  findings  and  q,  i.e.,  integer  factorization,  is  difficult.  RSA  and  many  other  cryptographic 
systems  rely  on  this  property  (see  Chapter  3,  Chapter  8).  Note  that  contrary  to  many  one- 
way functions,  this  function  / does  not  have  properties  resembling  a “random”  function.  □ 

9.17  Example  ( OWF  - exponentiation  in  finite  fields)  For  most  choices  of  appropriately  large 

primes  p and  any  element  a £ Z*  of  sufficiently  large  multiplicative  order  (e.g.,  a gen- 
erator), /(x)  = ax  mod  p is  a one-way  function.  (For  example,  p must  not  be  such  that 
all  the  prime  divisors  of  p — 1 are  small,  otherwise  the  discrete  log  problem  is  feasible  by 
the  Pohlig-Hellman  algorithm  of  §3.6.4.)  /(x)  is  easily  computed  given  a,  x,  and  p using 
the  square-and-multiply  technique  (Algorithm  2. 143),  but  for  most  choices  p it  is  difficult, 
given  ( y,p , a),  to  find  an  x in  the  range  0 < x < p — 2 such  that  ax  mod  p = y,  due  to 
the  apparent  intractability  of  the  discrete  logarithm  problem  (§3.6).  Of  course,  for  specific 
values  of  /(x)  the  function  can  be  inverted  trivially.  For  example,  the  respective  preimages 
of  1 and  —1  are  known  to  be  0 and  (_p  — l)/2,  and  by  computing  /(x)  for  any  small  set  of 
values  for  x (e.g.,  x = 1, 2, . . . , 10),  these  are  also  known.  However,  for  essentially  all  y 
in  the  range,  the  preimage  of  y is  difficult  to  find.  □ 


9.2.5  Relationships  between  properties 

In  this  section  several  relationships  between  the  hash  function  properties  stated  in  the  pre- 
ceding section  are  examined. 

9.18  Fact  Collision  resistance  implies  2nd-preimage  resistance  of  hash  functions. 

Justification.  Suppose  h has  collision  resistance.  Fix  an  input  Xj . If  h does  not  have  2nd- 
preimage  resistance,  then  it  is  feasible  to  find  a distinct  input  x,j  such  that  h(xj)  = h(xj), 
in  which  case  (x,;.  xf)  is  a pair  of  distinct  inputs  hashing  to  the  same  output,  contradicting 
collision  resistance. 

9.19  Remark  (one-way  vs.  preimage  and  2nd-preimage  resistant)  While  the  term  “one-way” 
is  generally  taken  to  mean  preimage  resistant,  in  the  hash  function  literature  it  is  some- 
times also  used  to  imply  that  a function  is  2nd-preimage  resistant  or  computationally  non- 
invertible.  (Computationally  non-invertible  is  a more  explicit  term  for  preimage  resistance 
when  preimages  are  unique,  e.g.,  for  one-way  permutations.  In  the  case  that  two  or  more 
preimages  exist,  a function  fails  to  be  computationally  non-invertible  if  any  one  can  be 
found.)  This  causes  ambiguity  as  2nd-preimage  resistance  does  not  guarantee  preimage- 
resistance  (Note  9.20),  nor  does  preimage  resistance  guarantee  2nd-preimage  resistance 
(Example  9.11);  see  also  Remark  9.10.  An  attempt  is  thus  made  to  avoid  unqualified  use  of 
the  term  “one-way”. 
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9.20  Note  ( collision  resistance  does  not  guarantee  preimage  resistance ) Let  g he  a hash  func- 
tion which  is  collision  resistant  and  maps  arbitrary-length  inputs  to  n-bit  outputs.  Consider 
the  function  h defined  as  (here  and  elsewhere,  ||  denotes  concatenation): 


J 1 1 1 x,  if  x has  bitlength  n 

1 0 ||  <?(x),  otherwise. 


Then  h is  an  ( n + l)-bit  hash  function  which  is  collision  resistant  but  not  preimage  resis- 
tant. As  a simpler  example,  the  identity  function  on  fixed-length  inputs  is  collision  and  2nd- 
preimage  resistant  (preimages  are  unique)  but  not  preimage  resistant.  While  such  patholog- 
ical examples  illustrate  that  collision  resistance  does  not  guarantee  the  difficulty  of  finding 
preimages  of  specific  (or  even  most)  hash  outputs,  for  most  CRHFs  arising  in  practice  it 
nonetheless  appears  reasonable  to  assume  that  collision  resistance  does  indeed  imply  preim- 
age resistance. 


9.21  Fact  ( implications  of  MAC  properties ) Let  hk  be  a keyed  hash  function  which  is  a MAC 
algorithm  per  Definition  9.7  (and  thus  has  the  property  of  computation-resistance).  Then 
hk  is,  against  chosen-text  attack  by  an  adversary  without  knowledge  of  the  key  k,  (i)  both 
2nd-preimage  resistant  and  collision  resistant;  and  (ii)  preimage  resistant  (with  respect  to 
the  hash-input). 

Justification.  For  (i),  note  that  computation-resistance  implies  hash-results  should  not  even 
be  computable  by  those  without  secret  key  k.  For  (ii),  by  way  of  contradiction,  assume 
h were  not  preimage  resistant.  Then  recovery  of  the  preimage  x for  a randomly  selected 
hash-output  y violates  computation-resistance. 


9.2.6  Other  hash  function  properties  and  applications 

Most  unkeyed  hash  functions  commonly  found  in  practice  were  originally  designed  for  the 
purpose  of  providing  data  integrity  (see  §9.6),  including  digital  fingerprinting  of  messages 
in  conjunction  with  digital  signatures  (§9.6.4).  The  majority  of  these  are,  in  fact,  MDCs 
designed  to  have  preimage,  2nd-preimage,  or  collision  resistance  properties.  Because  one- 
way functions  are  a fundamental  cryptographic  primitive,  many  of  these  MDCs,  which  typ- 
ically exhibit  behavior  informally  equated  with  one-wayness  and  randomness,  have  been 
proposed  for  use  in  various  applications  distinct  from  data  integrity,  including,  as  discussed 
below: 

1.  confirmation  of  knowledge 

2.  key  derivation 

3.  pseudorandom  number  generation 

Hash  functions  used  for  confirmation  of  knowledge  facilitate  commitment  to  data  values, 
or  demonstrate  possession  of  data,  without  revealing  such  data  itself  (until  possibly  a later 
point  in  time);  verification  is  possible  by  parties  in  possession  of  the  data.  This  resembles 
the  use  of  MACs  where  one  also  essentially  demonstrates  knowledge  of  a secret  (but  with 
the  demonstration  bound  to  a specific  message).  The  property  of  hash  functions  required 
is  preimage  resistance  (see  also  partial-preimage  resistance  below).  Specific  examples  in- 
clude use  in  password  verification  using  unencrypted  password-image  files  (Chapter  10); 
symmetric-key  digital  signatures  (Chapter  11);  key  confirmation  in  authenticated  key  es- 
tablishment protocols  (Chapter  12);  and  document-dating  or  timestamping  by  hash-code 
registration  (Chapter  13). 

In  general,  use  of  hash  functions  for  purposes  other  than  which  they  were  originally  de- 
signed requires  caution,  as  such  applications  may  require  additional  properties  (see  below) 
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these  functions  were  not  designed  to  provide;  see  Remark  9.22.  Unkeyed  hash  functions 
having  properties  associated  with  one-way  functions  have  nonetheless  been  proposed  for  a 
wide  range  of  applications,  including  as  noted  above: 

• key  derivation  - to  compute  sequences  of  new  keys  from  prior  keys  (Chapter  13).  A 
primary  example  is  key  derivation  in  point-of-sale  (POS)  terminals;  here  an  impor- 
tant requirement  is  that  the  compromise  of  currently  active  keys  must  not  compromise 
the  security  of  previous  transaction  keys.  A second  example  is  in  the  generation  of 
one-time  password  sequences  based  on  one-way  functions  (Chapter  10). 

• pseudorandom  number  generation  - to  generate  sequences  of  numbers  which  have 
various  properties  of  randomness.  (A  pseudorandom  number  generator  can  be  used  to 
construct  a symmetric-key  block  cipher,  among  other  things.)  Due  to  the  difficulty  of 
producing  cryptographically  strong  pseudorandom  numbers  (see  Chapter  5),  MDCs 
should  not  be  used  for  this  purpose  unless  the  randomness  requirements  are  clearly 
understood,  and  the  MDC  is  verified  to  satisfy  these. 

For  the  applications  immediately  above,  rather  than  hash  functions,  the  cryptographic  prim- 
itive which  is  needed  may  be  a pseudorandom  function  (or  keyed  pseudorandom  function). 

9.22  Remark  (use  of  MDCs)  Many  MDCs  used  in  practice  may  appear  to  satisfy  additional 
requirements  beyond  those  for  which  they  were  originally  designed.  Nonetheless,  the  use 
of  arbitrary  hash  functions  cannot  be  recommended  for  any  applications  without  careful 
analysis  precisely  identifying  both  the  critical  properties  required  by  the  application  and 
those  provided  by  the  function  in  question  (cf.  §9.5.2). 

Additional  properties  of  one-way  hash  functions 

Additional  properties  of  one-way  hash  functions  called  for  by  the  above-mentioned  appli- 
cations include  the  following. 

1.  non-correlation.  Input  bits  and  output  bits  should  not  be  correlated.  Related  to  this, 
an  avalanche  property  similar  to  that  of  good  block  ciphers  is  desirable  whereby  every 
input  bit  affects  every  output  bit.  (This  rules  out  hash  functions  for  which  preimage 
resistance  fails  to  imply  2nd-preimage  resistance  simply  due  to  the  function  effec- 
tively ignoring  a subset  of  input  bits.) 

2.  near-collision  resistance.  It  should  be  hard  to  find  any  two  inputs  x,  x'  such  that  h(x) 
and  h(x')  differ  in  only  a small  number  of  bits. 

3.  partial-preimage  resistance  or  local  one-wayness.  It  should  be  as  difficult  to  recover 
any  substring  as  to  recover  the  entire  input.  Moreover,  even  if  part  of  the  input  is 
known,  it  should  be  difficult  to  find  the  remainder  (e.g.,  if  t input  bits  remain  un- 
known, it  should  take  on  average  2*  1 hash  operations  to  find  these  bits.) 

Partial  preimage  resistance  is  an  implicit  requirement  in  some  of  the  proposed  applications 
of  §9.5.2.  One  example  where  near-collision  resistance  is  necessary  is  when  only  half  of 
the  output  bits  of  a hash  function  are  used. 

Many  of  these  properties  can  be  summarized  as  requirements  that  there  be  neither  lo- 
cal nor  global  statistical  weaknesses;  the  hash  function  should  not  be  weaker  with  respect 
to  some  parts  of  its  input  or  output  than  others,  and  all  bits  should  be  equally  hard.  Some 
of  these  may  be  called  certificational  properties  - properties  which  intuitively  appear  de- 
sirable, although  they  cannot  be  shown  to  be  directly  necessary. 
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9.3  Basic  constructions  and  general  results 


9.3.1  General  model  for  iterated  hash  functions 

Most  unkeyed  hash  functions  h are  designed  as  iterative  processes  which  hash  arbitrary- 
length  inputs  by  processing  successive  fixed-size  blocks  of  the  input,  as  illustrated  in  Fig- 
ure 9.2. 

(a)  high-level  view  (b)  detailed  view 


output 


original  input  x 


output  h(x)  = g(Ht) 


Figure  9.2:  General  model  for  an  iterated  hash  function. 

A hash  input  x of  arbitrary  finite  length  is  divided  into  fixed-length  r-bit  blocks  x*.  This 
preprocessing  typically  involves  appending  extra  bits  ( padding ) as  necessary  to  attain  an 
overall  bitlength  which  is  a multiple  of  the  blocklength  r,  and  often  includes  (for  security 
reasons  - e.g.,  see  Algorithm  9.26)  a block  or  partial  block  indicating  the  bitlength  of  the 
unpadded  input.  Each  block  x,  then  serves  as  input  to  an  internal  fixed-size  hash  function 
/,  the  compression  function  of  h,  which  computes  a new  intermediate  result  of  bitlength  n 
for  some  fixed  n,  as  a function  of  the  previous  n-bit  intermediate  result  and  the  next  input 
block  x,j . Letting  H.j  denote  the  partial  result  after  stage  i,  the  general  process  for  an  iterated 
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hash  function  with  input  x = x\x-) . . . xt  can  be  modeled  as  follows: 

H0=IV ; Hi  = f(Hi_1,xi),  1 <i<t;  h(x)  = g(Ht).  (9.1) 

1 serves  as  the  ?r-bit  chaining  variable  between  stage  i — 1 and  stage  i,  and  Hq  is  a 
pre-defined  starting  value  or  initializing  value  (IV).  An  optional  output  transformation  g 
(see  Figure  9.2)  is  used  in  a final  step  to  map  the  n-bit  chaining  variable  to  an  m-bit  result 
g{Hf)\  g is  often  the  identity  mapping  g{Ht)  = Ht. 

Particular  hash  functions  are  distinguished  by  the  nature  of  the  preprocessing,  com- 
pression function,  and  output  transformation. 


9.3.2  General  constructions  and  extensions 

To  begin,  an  example  demonstrating  an  insecure  construction  is  given.  Several  secure  gen- 
eral constructions  are  then  discussed. 

9.23  Example  ( insecure  trivial  extension  of  OWHF  to  CRHF)  In  the  case  that  an  iterated 

OWHF  h yielding  n-bit  hash-values  is  not  collision  resistant  (e.g.,  when  a 2"'/'2  birthday 
collision  attack  is  feasible  - see  §9.7.1)  one  might  propose  constructing  from  h a CRHF 
using  as  output  the  concatenation  of  the  last  two  n-bit  chaining  variables,  so  that  a i-block 
message  has  hash-value  Ht-i\\Ht  rather  than  Hi . This  is  insecure  as  the  final  message 
block  xt  can  be  held  fixed  along  with  Ht,  reducing  the  problem  to  finding  a collision  on 
Ht-iforh.  □ 

Extending  compression  functions  to  hash  functions 

Fact  9.24  states  an  important  relationship  between  collision  resistant  compression  functions 
and  collision  resistant  hash  functions.  Not  only  can  the  former  be  extended  to  the  latter,  but 
this  can  be  done  efficiently  using  Merkle’s  meta-method  of  Algorithm  9.25  (also  called  the 
Merkle-Damgard  construction).  This  reduces  the  problem  of  finding  such  a hash  function 
to  that  of  finding  such  a compression  function. 

9.24  Fact  ( extending  compression  functions)  Any  compression  function  / which  is  collision 
resistant  can  be  extended  to  a collision  resistant  hash  function  h (taking  arbitrary  length 
inputs). 


9.25  Algorithm  Merkle’s  meta-method  for  hashing 

INPUT:  compression  function  / which  is  collision  resistant. 

OUTPUT:  unkeyed  hash  function  h which  is  collision  resistant. 

1.  Suppose  / maps  ( n + f)-bit  inputs  to  n-bit  outputs  (for  concreteness,  consider  n = 
128  and  r = 512).  Construct  a hash  function  h from  /,  yielding  n-bit  hash-values, 
as  follows. 

2.  Break  an  input  x of  bitlength  b into  blocks  x\x-> . . . :cf  each  of  bitlength  r,  padding 
out  the  last  block  xt  with  0-bits  if  necessary. 

3.  Define  an  extra  final  block  xt+1,  the  length-block,  to  hold  the  right-justified  binary 
representation  of  b (presume  that  b < 2r). 

4.  Letting  0J  represent  the  bitstring  of  j 0’s,  define  the  n-bit  hash-value  of  x to  be 
h{x)  = Ht+ 1 = f(Ht  ||  x(+1)  computed  from: 

H0  = 0";  If  .[(If  i J^),  1 < i < t + 1. 
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The  proof  that  the  resulting  function  h is  collision  resistant  follows  by  a simple  argu- 
ment that  a collision  for  h would  imply  a collision  for  / for  some  stage  i.  The  inclusion  of 
the  length-block,  which  effectively  encodes  all  messages  such  that  no  encoded  input  is  the 
tail  end  of  any  other  encoded  input,  is  necessary  for  this  reasoning.  Adding  such  a length- 
block  is  sometimes  called  Merkle-Damgard  strengthening  ( MD- strengthening ),  which  is 
now  stated  separately  for  future  reference. 


9.26  Algorithm  MD-strengthening 

Before  hashing  a message  x = X1X2  . . . x(  (where  x,j  is  a block  of  bitlength  r appropriate 
for  the  relevant  compression  function)  of  bitlength  b,  append  a final  length-block,  xt+1, 
containing  the  (say)  right-justified  binary  representation  of  b.  (This  presumes  b < 2r.) 


Cascading  hash  functions 

9.27  Fact  ( cascading  hash  functions)  If  either  hi  or  h2  is  a collision  resistant  hash  function, 
then  h{x)  = h\{x)  ||  h2(x)  is  a collision  resistant  hash  function. 

If  both  h\  and  h2  in  Fact  9.27  are  /(-hit  hash  functions,  then  h produces  2n-bit  out- 
puts; mapping  this  back  down  to  an  n-bit  output  by  an  n-bit  collision-resistant  hash  func- 
tion (hi  and  h2  are  candidates)  would  leave  the  overall  mapping  collision-resistant.  If  hi 
and  h->  are  independent,  then  finding  a collision  for  h requires  finding  a collision  for  both 
simultaneously  (i.e.,  on  the  same  input),  which  one  could  hope  would  require  the  product  of 
the  efforts  to  attack  them  individually.  This  provides  a simple  yet  powerful  way  to  (almost 
surely)  increase  strength  using  only  available  components. 


9.3.3  Formatting  and  initialization  details 

9.28  Note  ( data  representation)  As  hash-values  depend  on  exact  bitstrings,  different  data  rep- 
resentations (e.g.,  ASCII  vs.  EBCDIC)  must  be  converted  to  a common  format  before  com- 
puting hash-values. 

(i)  Padding  and  length-blocks 

For  block-by-block  hashing  methods,  extra  bits  are  usually  appended  to  a hash  input  string 
before  hashing,  to  pad  it  out  to  a number  of  bits  which  make  it  a multiple  of  the  relevant 
block  size.  The  padding  bits  need  not  be  transmitted/stored  themselves,  provided  the  sender 
and  recipient  agree  on  a convention. 


9.29  Algorithm  Padding  Method  1 

INPUT:  data  x;  bitlength  n giving  blocksize  of  data  input  to  processing  stage. 

OUTPUT:  padded  data  x',  with  bitlength  a multiple  of  n. 

1.  Append  to  x as  few  (possibly  zero)  0-bits  as  necessary  to  obtain  a string  x'  whose 
bitlength  is  a multiple  of  n. 


9.30  Algorithm  Padding  Method  2 

INPUT:  data  x;  bitlength  n giving  blocksize  of  data  input  to  processing  stage. 
OUTPUT:  padded  data  x',  with  bitlength  a multiple  of  n. 

1.  Append  to  x a single  1-bit. 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§9.3  Basic  constructions  and  general  results 


335 


2.  Then  append  as  few  (possibly  zero)  0-bits  as  necessary  to  obtain  a string  x'  whose 
bitlength  is  a multiple  of  n. 


9.31  Remark  (ambiguous  padding ) Padding  Method  1 is  ambiguous  - trailing  0-bits  of  the 
original  data  cannot  be  distinguished  from  those  added  during  padding.  Such  methods  are 
acceptable  if  the  length  of  the  data  (before  padding)  is  known  by  the  recipient  by  other 
means.  Padding  Method  2 is  not  ambiguous  - each  padded  string  x'  corresponds  to  a unique 
unpadded  string  x.  When  the  bitlength  of  the  original  data  x is  already  a multiple  of  n. 
Padding  Method  2 results  in  the  creation  of  an  extra  block. 

9.32  Remark  (appended  length  blocks)  Appending  a logical  length-block  prior  to  hashing 
prevents  collision  and  pseudo-collision  attacks  which  find  second  messages  of  different 
length,  including  trivial  collisions  for  random  IVs  (Example  9.96),  long-message  attacks 
(Fact  9.37),  and  fixed-point  attacks  (page  374).  This  further  justifies  the  use  of  MD- 
strengthening  (Algorithm  9.26). 

Trailing  length-blocks  and  padding  are  often  combined.  For  Padding  Method  2,  a len- 
gth field  of  pre-specified  bitlength  w may  replace  the  final  w 0-bits  padded  if  padding  would 
otherwise  cause  w or  more  redundant  such  bits.  By  pre-agreed  convention,  the  length  field 
typically  specifies  the  bitlength  of  the  original  message.  (If  used  instead  to  specify  the  num- 
ber of  padding  bits  appended,  deletion  of  leading  blocks  cannot  be  detected.) 

(ii)  IVs 

Whether  the  IV  is  fixed,  is  randomly  chosen  per  hash  function  computation,  or  is  a function 
of  the  data  input,  the  same  IV  must  be  used  to  generate  and  verify  a hash-value.  If  not  known 
a priori  by  the  verifier,  it  must  be  transferred  along  with  the  message.  In  the  latter  case,  this 
generally  should  be  done  with  guaranteed  integrity  (to  cut  down  on  the  degree  of  freedom 
afforded  to  adversaries,  in  line  with  the  principle  that  hash  functions  should  be  defined  with 
a fixed  or  a small  set  of  allowable  IVs). 


9.3.4  Security  objectives  and  basic  attacks 

As  a framework  for  evaluating  the  computational  security  of  hash  functions,  the  objectives 
of  both  the  hash  function  designer  and  an  adversary  should  be  understood.  Based  on  Defi- 
nitions 9.3,  9.4,  and  9.7,  these  are  summarized  in  Table  9.2,  and  discussed  below. 


Hash  type 

Design  goal 

Ideal  strength 

Adversary’s  goal 

OWHF 

preimage  resistance; 
2nd-preimage  resistance 

2n 

2" 

produce  preimage; 

find  2nd  input,  same  image 

CRHF 

collision  resistance 

2™72 

produce  any  collision 

MAC 

key  non-recovery; 
computation  resistance 

2* 

Pf  = max(2~4,  2~n) 

deduce  MAC  key; 
produce  new  (msg,  MAC) 

Table  9.2:  Design  objectives  for  n-bit  hash  functions  (t-bit  MAC  key).  Pf  denotes  the  probability 
of  forgery  by  correctly  guessing  a MAC. 

Given  a specific  hash  function,  it  is  desirable  to  be  able  to  prove  a lower  bound  on  the  com- 
plexity of  attacking  it  under  specified  scenarios,  with  as  few  or  weak  a set  of  assumptions  as 
possible.  However,  such  results  are  scarce.  Typically  the  best  guidance  available  regarding 
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the  security  of  a particular  hash  function  is  the  complexity  of  the  (most  efficient)  applicable 
known  attack,  which  gives  an  upper  bound  on  security.  An  attack  of  complexity  2*  is  one 
which  requires  approximately  2*  operations,  each  being  an  appropriate  unit  of  work  (e.g., 
one  execution  of  the  compression  function  or  one  encryption  of  an  underlying  cipher).  The 
storage  complexity  of  an  attack  (i.e.,  storage  required)  should  also  be  considered. 

(i)  Attacks  on  the  bitsize  of  an  MDC 

Given  a fixed  message  x with  n-bit  hash  h(x),  a naive  method  for  finding  an  input  colliding 
with  x is  to  pick  a random  bitstring  x'  (of  bounded  bitlength)  and  check  if  h(x')  = h(x). 
The  cost  may  be  as  little  as  one  compression  function  evaluation,  and  memory  is  negligi- 
ble. Assuming  the  hash-code  approximates  a uniform  random  variable,  the  probability  of  a 
match  is  2 " . The  implication  of  this  is  Fact  9.33,  which  also  indicates  the  effort  required 
to  find  collisions  if  x may  itself  be  chosen  freely.  Definition  9.34  is  motivated  by  the  de- 
sign goal  that  the  best  possible  attack  should  require  no  less  than  such  levels  of  effort,  i.e., 
essentially  brute  force. 

9.33  Fact  ( basic  hash  attacks)  For  an  n-bit  hash  function  h,  one  may  expect  a guessing  attack 
to  find  a preimage  or  second  preimage  within  2"  hashing  operations.  For  an  adversary  able 
to  choose  messages,  a birthday  attack  (see  §9.7.1)  allows  colliding  pairs  of  messages  x , x' 
with  h(x)  i=  h(x')  to  be  found  in  about  2"/2  operations,  and  negligible  memory. 

9.34  Definition  An  n-bit  unkeyed  hash  function  has  ideal  security  if  both:  (1)  given  a hash 
output,  producing  each  of  a preimage  and  a 2nd-preimage  requires  approximately  2"  oper- 
ations; and  (2)  producing  a collision  requires  approximately  2"-/'2  operations. 

(ii)  Attacks  on  the  MAC  key  space 

An  attempt  may  be  made  to  determine  a MAC  key  using  exhaustive  search.  With  a sin- 
gle known  text-MAC  pair,  an  attacker  may  compute  the  ?t-bit  MAC  on  that  text  under  all 
possible  keys,  and  then  check  which  of  the  computed  MAC-values  agrees  with  that  of  the 
known  pair.  For  a i-bit  key  space  this  requires  2*  MAC  operations,  after  which  one  expects 
1 + '21  n candidate  keys  remain.  Assuming  the  MAC  behaves  as  a random  mapping,  it  can 
be  shown  that  one  can  expect  to  reduce  this  to  a unique  key  by  testing  the  candidate  keys  us- 
ing just  over  t/n  text-MAC  pairs.  Ideally,  a MAC  key  (or  information  of  cryptographically 
equivalent  value)  would  not  be  recoverable  in  fewer  than  2*  operations. 

As  a probabilistic  attack  on  the  MAC  key  space  distinct  from  key  recovery,  note  that 
for  a i-bit  key  and  a fixed  input,  a randomly  guessed  key  will  yield  a correct  (n-bit)  MAC 
with  probability  « 2~*  for  t < n. 

(iii)  Attacks  on  the  bitsize  of  a MAC 

MAC  forgery  involves  producing  any  input  x and  the  corresponding  correct  MAC  without 
having  obtained  the  latter  from  anyone  with  knowledge  of  the  key.  For  an  n-bit  MAC  al- 
gorithm, either  guessing  a MAC  for  a given  input,  or  guessing  a preimage  for  a given  MAC 
output,  has  probability  of  success  about  2 ",  as  for  an  MDC.  A difference  here,  however, 
is  that  guessed  MAC-values  cannot  be  verified  off-line  without  known  text-MAC  pairs  - 
either  knowledge  of  the  key,  or  a “black-box”  which  provides  MACs  for  given  inputs  (i.e., 
a chosen-text  scenario)  is  required.  Since  recovering  the  MAC  key  trivially  allows  forgery, 
an  attack  on  the  i-bit  key  space  (see  above)  must  be  also  be  considered  here.  Ideally,  an  ad- 
versary would  be  unable  to  produce  new  (correct)  text-MAC  pairs  (x,  y)  with  probability 
significantly  better  than  max(2~*,  2~n),  i.e.,  the  better  of  guessing  a key  or  a MAC-value. 
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(iv)  Attacks  using  precomputations,  multiple  targets,  and  long  messages 

9.35  Remark  ( precomputation  of  hash  values)  For  both  preimage  and  second  preimage  attacks, 
an  opponent  who  precomputes  a large  number  of  hash  function  input-output  pairs  may  trade 
off  precomputation  plus  storage  for  subsequent  attack  time.  For  example,  for  a 64-bit  hash 
value,  if  one  randomly  selects  240  inputs,  then  computes  their  hash  values  and  stores  (hash 
value,  input)  pairs  indexed  by  hash  value,  this  precomputation  of  0(240)  time  and  space 
allows  an  adversary  to  increase  the  probability  of  finding  a preimage  (per  one  subsequent 
hash  function  computation)  from  2-64  to  2-24.  Similarly,  the  probability  of  finding  a sec- 
ond preimage  increases  to  r times  its  original  value  (when  no  stored  pairs  are  known)  if  r 
input-output  pairs  of  a OWHF  are  precomputed  and  tabulated. 

9.36  Remark  ( effect  of  parallel  targets  for  OWHFs)  In  a basic  attack,  an  adversary  seeks  a sec- 
ond preimage  for  one  fixed  target  (the  image  computed  from  a first  preimage).  If  there  are  r 
targets  and  the  goal  is  to  find  a second  preimage  for  any  one  of  these  r,  then  the  probability 
of  success  increases  to  r times  the  original  probability.  One  implication  is  that  when  using 
hash  functions  in  conjunction  with  keyed  primitives  such  as  digital  signatures,  repeated  use 
of  the  keyed  primitive  may  weaken  the  security  of  the  combined  mechanism  in  the  follow- 
ing sense.  If  r signed  messages  are  available,  the  probability  of  a hash  collision  increases 
r-fold  (cf.  Remark  9.35),  and  colliding  messages  yield  equivalent  signatures,  which  an  op- 
ponent could  not  itself  compute  off-line. 

Fact  9.37  reflects  a related  attack  strategy  of  potential  concern  when  using  iterated  hash 
functions  on  long  messages. 

9.37  Fact  ( long-message  attack  for  2nd-preimage ) Let  h be  an  iterated  /(-bit  hash  function  with 
compression  function  / (as  in  equation  (9.1),  without  MD-strengthening).  Let  x be  a mes- 
sage consisting  of  t blocks.  Then  a 2nd-preimage  for  h(x)  can  be  found  in  time  (2 n/s)  + s 
operations  of  /,  and  in  space  n(s  + lg(s))  bits,  for  any  s in  the  range  1 < s < min (t,  2?l//2). 

Justification.  The  idea  is  to  use  a birthday  attack  on  the  intermediate  hash-results;  a sketch 
for  the  choice  s = t follows.  Compute  h(x),  storing  (Hi,  i)  for  each  of  the  t intermediate 
hash-results  II,  corresponding  to  the  t input  blocks  x,  in  a table  such  that  they  may  be  later 
indexed  by  value.  Compute  h(z)  for  random  choices  z,  checking  for  a collision  involving 
h(z)  in  the  table,  until  one  is  found;  approximately  2 n/s  values  z will  be  required,  by  the 
birthday  paradox.  Identify  the  index  j from  the  table  responsible  for  the  collision;  the  input 
zXj+\Xj+2  ,..xt  then  collides  with  x. 

9.38  Note  (implication  of  long  messages)  Fact  9.37  implies  that  for  “long”  messages,  a 2nd- 
preimage  is  generally  easier  to  find  than  a preimage  (the  latter  takes  at  most  2"  operations), 
becoming  moreso  with  the  length  of  x.  For  t > 2"/2,  computation  is  minimized  by  choos- 
ing s = 2"'/2  in  which  case  a 2nd-preimage  costs  about  2"/2  executions  of  / (comparable 
to  the  difficulty  of  finding  a collision). 


9.3.5  Bitsizes  required  for  practical  security 

Suppose  that  a hash  function  produces  /(-bit  hash-values,  and  as  a representative  benchmark 
assume  that  280  (but  not  fewer)  operations  is  acceptably  beyond  computational  feasibility.2 
Then  the  following  statements  may  be  made  regarding  n. 

2Circa  1996,  240  simple  operations  is  quite  feasible,  and  256  is  considered  quite  reachable  by  those  with  suf- 
ficient  motivation  (possibly  using  parallelization  or  customized  machines). 
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1.  For  a OWHF,  n > 80  is  required.  Exhaustive  off-line  attacks  require  at  most  2" 
operations;  this  may  be  reduced  with  precomputation  (Remark  9.35). 

2.  For  a CRHF,  n > 160  is  required.  Birthday  attacks  are  applicable  (Fact  9.33). 

3.  For  a MAC,  n > 64  along  with  a MAC  key  of  64-80  bits  is  sufficient  for  most  ap- 
plications and  environments  (cf.  Table  9.1).  If  a single  MAC  key  remains  in  use, 
off-line  attacks  may  be  possible  given  one  or  more  text-MAC  pairs;  but  for  a proper 
MAC  algorithm,  preimage  and  2nd-preimage  resistance  (as  well  as  collision  resis- 
tance) should  follow  directly  from  lack  of  knowledge  of  the  key,  and  thus  security 
with  respect  to  such  attacks  should  depend  on  the  keysize  rather  than  n.  For  attacks 
requiring  on-line  queries,  additional  controls  may  be  used  to  limit  the  number  of  such 
queries,  constrain  the  format  of  MAC  inputs,  or  prevent  disclosure  of  MAC  outputs 
for  random  (chosen-text)  inputs.  Given  special  controls,  values  as  small  as  n = 32  or 
40  may  be  acceptable;  but  caution  is  advised,  since  even  with  one-time  MAC  keys, 
the  chance  any  randomly  guessed  MAC  being  correct  is  2 " , and  the  relevant  factors 
are  the  total  number  of  trials  a system  is  subject  to  over  its  lifetime,  and  the  conse- 
quences of  a single  successful  forgery. 

These  guidelines  may  be  relaxed  somewhat  if  a lower  threshold  of  computational  infeasi- 
bility is  assumed  (e.g.,  264  instead  of  280).  Flowever,  an  additional  consideration  to  be  taken 
into  account  is  that  for  both  a CRHF  and  a OWHF,  not  only  can  off-line  attacks  be  carried 
out,  but  these  can  typically  be  parallelized.  Key  search  attacks  against  MACs  may  also  be 
parallelized. 


9.4  Unkeyed  hash  functions  (MDCs) 

A move  from  general  properties  and  constructions  to  specific  hash  functions  is  now  made, 
and  in  this  section  the  subclass  of  unkeyed  hash  functions  known  as  modification  detection 
codes  (MDCs)  is  considered.  From  a structural  viewpoint,  these  may  be  categorized  based 
on  the  nature  of  the  operations  comprising  their  internal  compression  functions.  From  this 
viewpoint,  the  three  broadest  categories  of  iterated  hash  functions  studied  to  date  are  hash 
functions  based  on  block  ciphers , customized  hash  functions,  and  hash  functions  based  on 
modular  arithmetic.  Customized  hash  functions  are  those  designed  specifically  for  hashing, 
with  speed  in  mind  and  independent  of  other  system  subcomponents  (e.g.,  block  cipher  or 
modular  multiplication  subcomponents  which  may  already  be  present  for  non-hashing  pur- 
poses). 

Table  9.3  summarizes  the  conjectured  security  of  a subset  of  the  MDCs  subsequently 
discussed  in  this  section.  Similar  to  the  case  of  block  ciphers  for  encryption  (e.g.  8-  or  12- 
round  DES  vs.  16-round  DES),  security  of  MDCs  often  comes  at  the  expense  of  speed,  and 
tradeoffs  are  typically  made.  In  the  particular  case  of  block-cipher-based  MDCs,  a provably 
secure  scheme  of  Merkle  (see  page  378)  with  rate  0.276  (see  Definition  9.40)  is  known  but 
little-used,  while  MDC-2  is  widely  believed  to  be  (but  not  provably)  secure,  has  rate  = 0.5, 
and  receives  much  greater  attention  in  practice. 


9.4.1  Hash  functions  based  on  block  ciphers 

A practical  motivation  for  constructing  hash  functions  from  block  ciphers  is  that  if  an  effi- 
cient implementation  of  a block  cipher  is  already  available  within  a system  (either  in  hard- 
ware or  software),  then  using  it  as  the  central  component  for  a hash  function  may  provide 
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vHash  function 

n 

m 

Preimage 

Collision 

Comments 

Matyas-Meyer-Oseas° 

n 

2" 

2^/2 

for  keylength  = n 

MDC-2  (with  DES)6 

64 

2 • 282 

2 ■ 254 

rate  0.5 

MDC-4  (with  DES) 

64 

128 

2109 

4 • 254 

rate  0.25 

Merkle  (with  DES) 

106 

128 

2112 

256 

rate  0.276 

MD4 

512 

128 

2128 

220 

Remark  9.50 

MD5 

512 

128 

2128 

2 64 

Remark  9.52 

RIPEMD-128 

512 

128 

2128 

264 

- 

SHA-1,  RIPEMD-160 

512 

160 

2160 

280 

- 

“The  same  strength  is  conjectured  for  Davies-Meyer  and  Miyaguchi-Preneel  hash  functions. 
b Strength  could  be  increased  using  a cipher  with  keylength  equal  to  cipher  blocklength. 

Table  9.3:  Upper  bounds  on  strength  of  selected  hash  functions,  n-bit  message  blocks  are  processed 
to  produce  m-bit  hash-values.  Number  of  cipher  or  compression  function  operations  currently  be- 
lieved necessary  to  find  preimages  and  collisions  are  specified,  assuming  no  underlying  weaknesses 
for  block  ciphers  (figures  for  MDC-2  and  MDC-4  account  for  DES  complementation  and  weak  key 
properties).  Regarding  rate,  see  Definition  9.40. 


the  latter  functionality  at  little  additional  cost.  The  (not  always  well-founded)  hope  is  that 
a good  block  cipher  may  serve  as  a building  block  for  the  creation  of  a hash  function  with 
properties  suitable  for  various  applications. 

Constructions  for  hash  functions  have  been  given  which  are  “provably  secure”  assum- 
ing certain  ideal  properties  of  the  underlying  block  cipher.  However,  block  ciphers  do 
not  possess  the  properties  of  random  functions  (for  example,  they  are  invertible  - see  Re- 
mark 9.14).  Moreover,  in  practice  block  ciphers  typically  exhibit  additional  regularities 
or  weaknesses  (see  §9.7.4).  For  example,  for  a block  cipher  E,  double  encryption  using 
an  encrypt-decrypt  (E-D)  cascade  with  keys  K\,  K‘>  results  in  the  identity  mapping  when 
K\  = K-> . In  summary,  while  various  necessary  conditions  are  known,  it  is  unclear  ex- 
actly what  requirements  of  a block  cipher  are  sufficient  to  construct  a secure  hash  function, 
and  properties  adequate  for  a block  cipher  (e.g.,  resistance  to  chosen-text  attack)  may  not 
guarantee  a good  hash  function. 

In  the  constructions  which  follow.  Definition  9.39  is  used. 

9.39  Definition  An  (n,r)  block  cipher  is  a block  cipher  defining  an  invertible  function  from 
n-bit  plaintexts  to  n-bit  ciphertexts  using  an  r-bit  key.  If  E is  such  a cipher,  then  Ej.  (x) 
denotes  the  encryption  of  x under  key  k. 

Discussion  of  hash  functions  constructed  from  n-bit  block  ciphers  is  divided  between 
those  producing  single-length  (n-bit)  and  double-length  (2?r-bit)  hash-values,  where  single 
and  double  are  relative  to  the  size  of  the  block  cipher  output.  Under  the  assumption  that 
computations  of  264  operations  are  infeasible,3  the  objective  of  single-length  hash  functions 
is  to  provide  a OWHF  for  ciphers  of  blocklength  near  n = 64,  or  to  provide  CRHFs  for 
cipher  blocklengths  near  n = 128.  The  motivation  for  double-length  hash  functions  is  that 
many  n-bit  block  ciphers  exist  of  size  approximately  n = 64,  and  single-length  hash-codes 
of  this  size  are  not  collision  resistant.  For  such  ciphers,  the  goal  is  to  obtain  hash-codes  of 
bitlength  2 n which  are  CRHFs. 

In  the  simplest  case,  the  size  of  the  key  used  in  such  hash  functions  is  approximately 
the  same  as  the  blocklength  of  the  cipher  (i.e.,  n bits).  In  other  cases,  hash  functions  use 

3The  discussion  here  is  easily  altered  for  a more  conservative  bound,  e.g.,  280  operations  as  used  in  §9.3.5. 
Here  264  is  more  convenient  for  discussion,  due  to  the  omnipresence  of  64-bit  block  ciphers. 
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larger  (e.g.,  double-length)  keys.  Another  characteristic  to  be  noted  in  such  hash  functions 
is  the  number  of  block  cipher  operations  required  to  produce  a hash  output  of  blocklength 
equal  to  that  of  the  cipher,  motivating  the  following  definition. 

9.40  Definition  Let  h be  an  iterated  hash  function  constructed  from  a block  cipher,  with  com- 
pression function  / which  performs  s block  encryptions  to  process  each  successive  /(-bit 
message  block.  Then  the  rate  of  h is  1 / s. 

The  hash  functions  discussed  in  this  section  are  summarized  in  Table  9.4.  The  Matyas- 
Meyer-Oseas  and  MDC-2  algorithms  are  the  basis,  respectively,  of  the  two  generic  hash 
functions  in  ISO  standard  10118-2,  each  allowing  use  of  any  //  -bit  block  cipher  E and  pro- 
viding hash-codes  of  bitlength  m < n and  to  < 2 n,  respectively. 


Hash  function 

(n,  k,  to) 

Rate 

Matyas-Meyer-Oseas 

(n,  k,  n) 

1 

Davies-Meyer 

(n,  k,  n) 

k/n 

Miyaguchi-Preneel 

(n,  k,  n) 

1 

MDC-2  (with  DES) 

(64,56,128) 

1/2 

MDC-4  (with  DES) 

(64,56,128) 

1/4 

Table  9.4:  Summary  of  selected  hash  functions  based  on  n-bit  block  ciphers,  k = key  bitsize  (ap- 
proximate); function  yields  m-bit  hash-values. 


(i)  Single-length  MDCs  of  rate  1 

The  first  three  schemes  described  below,  and  illustrated  in  Figure  9.3,  are  closely  related 
single-length  hash  functions  based  on  block  ciphers.  These  make  use  of  the  following  pre- 
defined components: 

1.  a generic  n-bit  block  cipher  Ek  parametrized  by  a symmetric  key  K; 

2.  a function  g which  maps  n-bit  inputs  to  keys  K suitable  for  E (if  keys  for  E are  also 
of  length  n,  g might  be  the  identity  function);  and 

3.  a fixed  (usually  n-bit)  initial  value  IV,  suitable  for  use  with  E. 


Matyas-Meyer-Oseas 

Xi 

J— 


Hi- 1 


E 


Davies-Meyer 


Hi- 1 


M E 


Miyaguchi-Preneel 


Hi- 1 


+4E 


T 

H 


©**“ 


H 


T 

H 


Figure  9.3:  Three  single-length,  rate-one  MDCs  based  on  block  ciphers. 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§9.4  Unkeyed  hash  functions  (MDCs) 


341 


9.41  Algorithm  Matyas-Meyer-Oseas  hash 

INPUT:  bitstring  x. 

OUTPUT:  n-bit  hash-code  of  x. 

1.  Input  x is  divided  into  n-bit  blocks  and  padded,  if  necessary,  to  complete  last  block. 
Denote  the  padded  message  consisting  of  t n-bit  blocks:  x\x%  . . . xt.  A constant  n- 
bit  initial  value  IV  must  be  pre-specified. 

2.  The  output  is  Ht  defined  by:  Hq  = IV ; fT,  = 1 < i < t. 


9.42  Algorithm  Davies-Meyer  hash 

INPUT:  bitstring  x. 

OUTPUT:  n-bit  hash-code  of  x. 

1.  Input  x is  divided  into  fc-bit  blocks  where  k is  the  keysize,  and  padded,  if  necessary, 
to  complete  last  block.  Denote  the  padded  message  consisting  of  t ft-bit  blocks:  x\x-> 
...  xt-  A constant  n-bit  initial  value  IV  must  be  pre-specified. 

2.  The  output  is  Ht  defined  by:  H0  = IV;  Hi  = EXi(Hi-i)(BHi-i,  1 < i < t. 


9.43  Algorithm  Miyaguchi-Preneel  hash 

This  scheme  is  identical  to  that  of  Algorithm  9.4 1 , except  the  output  fT,  _ i from  the  previous 
stage  is  also  XORed  to  that  of  the  current  stage.  More  precisely,  H,  is  redefined  as:  Hq  = 

IV;  Hi  = EuUii„.)(xiy$Xiii,Ill  i.  1 < i < t. 


9.44  Remark  (dual  schemes)  The  Davies-Meyer  hash  may  be  viewed  as  the  ‘dual’  of  the  Mat- 
yas-Meyer-Oseas  hash,  in  the  sense  that  :c,  and  H,  i play  reversed  roles.  When  DES  is 
used  as  the  block  cipher  in  Davies-Meyer,  the  input  is  processed  in  56-bit  blocks  (yield- 
ing rate  56/64  < 1),  whereas  Matyas-Meyer-Oseas  and  Miyaguchi-Preneel  process  64-bit 
blocks. 

9.45  Remark  ( black-box  security)  Aside  from  heuristic  arguments  as  given  in  Example  9.13, 
it  appears  that  all  three  of  Algorithms  9.41,  9.42,  and  9.43  yield  hash  functions  which  are 
provably  secure  under  an  appropriate  “black-box”  model  (e.g.,  assuming  E has  the  required 
randomness  properties,  and  that  attacks  may  not  make  use  of  any  special  properties  or  in- 
ternal details  of  E).  “Secure”  here  means  that  finding  preimages  and  collisions  (in  fact, 
pseudo-preimages  and  pseudo-collisions  - see  §9.7.2)  require  on  the  order  of  2"  and  2"/2 
n- bit  block  cipher  operations,  respectively.  Due  to  their  single-length  nature,  none  of  these 
three  is  collision  resistant  for  underlying  ciphers  of  relatively  small  blocklength  (e.g.,  DES, 
which  yields  64-bit  hash-codes). 

Several  double-length  hash  functions  based  on  block  ciphers  are  considered  next. 

(ii)  Double-length  MDCs:  MDC-2  and  MDC-4 

MDC-2  and  MDC-4  are  manipulation  detection  codes  requiring  2 and  4,  respectively,  block 
cipher  operations  per  block  of  hash  input.  They  employ  a combination  of  either  2 or  4 itera- 
tions of  the  Matyas-Meyer-Oseas  (single-length)  scheme  to  produce  a double-length  hash. 
When  used  as  originally  specified,  using  DES  as  the  underlying  block  cipher,  they  produce 
128-bit  hash-codes.  The  general  construction,  however,  can  be  used  with  other  block  ci- 
phers. MDC-2  and  MDC-4  make  use  of  the  following  pre-specified  components: 
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1.  DES  as  the  block  cipher  Ek  of  bitlength  n = 64  parameterized  by  a 56-bit  key  K: 

2.  two  functions  g and  g which  map  64-bit  values  U to  suitable  56-bit  DES  keys  as  fol- 
lows. For  U = u-yw> . . . uq4,  delete  every  eighth  bit  starting  with  ug,  and  set  the  2nd 
and  3rd  bits  to  ‘10’  for  g,  and  ‘01’  for  g: 

g(U)  = wi  1 0 u4u5ueu7UQUW  . . . u63. 
g(U)  = wi  0 1 u4u5ueuruQUW  . . . u63. 

(The  resulting  values  are  guaranteed  not  to  be  weak  or  semi-weak  DES  keys,  as  all 
such  keys  have  bit  2 = bit  3;  see  page  375.  Also,  this  guarantees  the  security  require- 
ment that  g(IV)  7^  g(IV).) 

MDC-2  is  specified  in  Algorithm  9.46  and  illustrated  in  Figure  9.4. 


Xi 


Hi  H , 


Figure  9.4:  Compression  function  of  MDC-2  hash  function.  E = DES. 

9.46  Algorithm  MDC-2  hash  function  (DES-based) 

INPUT:  string  x of  bitlength  r = 64 1 for  t > 2. 

OUTPUT:  128-bit  hash-code  of  x. 

1.  Partition  x into  64-bit  blocks  xp.  x = x4X2  . . . x*. 

2.  Choose  the  64-bit  non-secret  constants  IV,  IV  (the  same  constants  must  be  used  for 
MDC  verification)  from  a set  of  recommended  prescribed  values.  A default  set  of 
prescribed  values  is  (in  hexadecimal):  IV  = 0x5252525252525252,  IV  = 
0x2525252525252525. 
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3.  Let  j | denote  concatenation,  and  Cf \ Cf  the  left  and  right  32-bit  halves  of  C, . The 
output  is  h{x)  = Ht  ||  Ht  defined  as  follows  (for  1 < i < t): 


Hq  = IV ; ki=g(Hi- 1);  Q = Eki(xi)®Xi]  H = C,L  ||  Q 

Hq  = IV ; ki  = g(Hi- 1);  C*  = E^x^Bxp,  H,  = ||  C,R  . 


In  Algorithm  9.46,  padding  may  be  necessary  to  meet  the  bitlength  constraint  on  the 
input  x.  In  this  case,  an  unambiguous  padding  method  may  be  used  (see  Remark  9.31), 
possibly  including  MD-strengthening  (see  Remark  9.32). 

MDC-4  (see  Algorithm  9.47  and  Figure  9.5)  is  constructed  using  the  MDC-2  compres- 
sion function.  One  iteration  of  the  MDC-4  compression  function  consists  of  two  sequential 
executions  of  the  MDC-2  compression  function,  where: 

1.  the  two  64-bit  data  inputs  to  the  first  MDC-2  compression  are  both  the  same  next 
64-bit  message  block; 

2.  the  keys  for  the  first  MDC-2  compression  are  derived  from  the  outputs  (chaining  vari- 
ables) of  the  previous  MDC-4  compression; 

3.  the  keys  for  the  second  MDC-2  compression  are  derived  from  the  outputs  (chaining 
variables)  of  the  first  MDC-2  compression;  and 

4.  the  two  64-bit  data  inputs  for  the  second  MDC-2  compression  are  the  outputs  (chain- 
ing variables)  from  the  opposite  sides  of  the  previous  MDC-4  compression. 


9.47  Algorithm  MDC-4  hash  function  (DES-based) 


INPUT:  string  x of  bitlength  r = 64i  for  t > 2.  (See  MDC-2  above  regarding  padding.) 
OUTPUT:  128-bit  hash-code  of  x. 


1.  As  in  step  1 of  MDC-2  above. 

2.  As  in  step  2 of  MDC-2  above. 

3.  With  notation  as  in  MDC-2,  the  output  is  h(x)  = Gt  ||  Gt  defined  as  follows  (for 
1 <i<t): 

Go  =IV\  Go  = IV: 


<5 

II 

-l)?  Ci  — E^ixj^^Xi] 

£ 

1! 

~R 

Ci 

iTi 

II 

p) 

1)5  Ci  — 

Hi  = CtL  || 

CiR 

i = 

Di  — Eji{Gi-i)(BGi-i] 

Cl 

II 

~R 

il  A 

= g(fiiY, 

Di  = ^j.(Gi-i)®Gi-i; 

II 

16" 

II  D,R 

9.4.2  Customized  hash  functions  based  on  MD4 

Customized  hash  functions  are  those  which  are  specifically  designed  “from  scratch”  for  the 
explicit  purpose  of  hashing,  with  optimized  performance  in  mind,  and  without  being  con- 
strained to  reusing  existing  system  components  such  as  block  ciphers  or  modular  arithmetic. 
Those  having  received  the  greatest  attention  in  practice  are  based  on  the  MD4  hash  function. 

Number  4 in  a series  of  hash  functions  (Message  Digest  algorithms),  MD4  was  de- 
signed specifically  for  software  implementation  on  32-bit  machines.  Security  concerns  mo- 
tivated the  design  of  MD5  shortly  thereafter,  as  a more  conservative  variation  of  MD4. 
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Xi 


Gi  Gi 


Figure  9.5:  Compression  function  ofMDC-4  hash  function 


Other  important  subsequent  variants  include  the  Secure  Hash  Algorithm  (SHA-1),  the  hash 
function  RIPEMD,  and  its  strengthened  variants  R1PEMD-128  and  R1PEMD-160.  Param- 
eters for  these  hash  functions  are  summarized  in  Table  9.5.  “Rounds  x Steps  per  round” 
refers  to  operations  performed  on  input  blocks  within  the  corresponding  compression  func- 
tion. Table  9.6  specifies  test  vectors  for  a subset  of  these  hash  functions. 

Notation  for  description  of  MD4-famiiy  algorithms 

Table  9.7  defines  the  notation  for  the  description  of  MD4-family  algorithms  described  be- 
low. Note  9.48  addresses  the  implementation  issue  of  converting  strings  of  bytes  to  words 
in  an  unambiguous  manner. 

9.48  Note  ( little  -endian  vs.  big-endian ) For  interoperable  implementations  involving  byte-to- 
word  conversions  on  different  processors  (e.g.,  converting  between  32-bit  words  and  groups 
of  four  8-bit  bytes),  an  unambiguous  convention  must  be  specified.  Consider  a stream  of 
bytes  Bj  with  increasing  memory  addresses  i,  to  be  interpreted  as  a 32-bit  word  with  nu- 
merical value  W.  In  little-endian  architectures,  the  byte  with  the  lowest  memory  address 
(B\)  is  the  least  significant  byte:  W = 224I?4  + 216I?3  + 28I?2  + B\.  In  big-endian 
architectures,  the  byte  with  the  lowest  address  (B i)  is  the  most  significant  byte:  W = 
224£>i  + 2 16  B2  + 2 8B3  + B4. 

(i)  MD4 

MD4  (Algorithm  9.49)  is  a 128-bit  hash  function.  The  original  MD4  design  goals  were 
that  breaking  it  should  require  roughly  brute -force  effort:  finding  distinct  messages  with 
the  same  hash-value  should  take  about  264  operations,  and  finding  a message  yielding  a 
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Name 

Bitlength 

Rounds  x Steps  per  round 

Relative  speed 

MD4 

'KB 

3 x 16 

MD5 

■Ik 

4 x 16 

RIPEMD-128 

128 

4 x 16  twice  (in  parallel) 

H:- 

SHA-1 

160 

4 x 20 

0.28 

RIPEMD-160 

160 

5 x 16  twice  (in  parallel) 

0.24 

Table  9.5:  Summary  of  selected  hash  functions  based  on  MD4. 


Name 

String 

Hash  value  (as  a hex  byte  string) 

MD4 

“a” 

“abc” 

‘ ‘abcdefghij  klmnopqrs  tu  v wxy  z” 

3 1 d6cfe0d 1 6ae93 1 b73c59d7e0c089c0 
bde52cb31de33e46245e05fbdbd6fb24 
a44801 7aaf2 1 d8525fc  10ae87aa6729d 
d79elc308aa5bbcdeea8ed63df412da9 

MD5 

“a” 

"abc” 

‘ ‘abcdefghij  klmnopqrs  tuv  wxy  z” 

d41d8cd98f00b204e9800998ecf8427e 
Occ 175b9c0f Ib6a83 Ic399e269772661 
900150983cd24fb0d6963f7d28e  1 7f72 
c3fcd3d76 1 92e4007dfb496cca67e  1 3b 

SHA-1 

"a” 

"abc” 

‘ 'abcdefghij  klmnopqrs  tuv  wxy  z” 

da39a3ee5e6b4b0d3255bfef9560 1 890afd80709 
86f7e437faa5a7fcel5dl  ddcbSfeaeaea377667b8 
a9993e364706816aba3e25717850c26c9cd0d89d 
32dl0c7b8cf96570ca04ce37f2al9d84240d3a89 

RIPEMD-160 

"a” 

"abc” 

‘ 'abcdefghij  klmnopqrs  tuv  wxy  z” 

9c  1 1 85a5c5e9fc54612808977ee8f548b2258d3 1 
0bdc9d2d256b3ee9daae347be6f4dc835a467ffe 
8eb208f7e05d987a9b044a8e98c6b087fl5a0bfc 
f7  lc27 109c692clb56bbdceb5b9d2865b3708dbc 

Table  9.6:  Test  vectors  for  selected  hash  functions. 


Notation 

Meaning 

U , V , w 

variables  representing  32-bit  quantities 

0x67452301 

hexadecimal  32-bit  integer  (least  significant  byte:  01) 

+ 

addition  modulo  232 

u 

bitwise  complement 

U i — 3 S 

result  of  rotating  u left  through  s positions 

uv 

bitwise  AND 

ttVu 

bitwise  inclusive-OR 

u@v 

bitwise  exclusive-OR 

f(u,v,w) 

uv  V uw 

g(u,v,w) 

uv  V uw  V vw 

h(u, v , w ) 

u(Bv(Bw 

simultaneous  assignments  (X;  Y.t  ), 

(Yl,...  ,Yy) 

where  (Yj, ...  , Yj)  is  evaluated  prior  to  any  assignments 

Table  9. 7:  Notation  for  MD4-fami!y  algorithms. 
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pre-specified  hash-value  about  2128  operations.  It  is  now  known  that  MD4  fails  to  meet  this 
goal  (Remark  9.50).  Nonetheless,  a full  description  of  MD4  is  included  as  Algorithm  9.49 
for  historical  and  cryptanalytic  reference.  It  also  serves  as  a convenient  reference  for  de- 
scribing, and  allowing  comparisons  between,  other  hash  functions  in  this  family. 


9.49  Algorithm  MD4  hash  function 

INPUT:  bitstring  x of  arbitrary  bitlength  b > 0.  (For  notation  see  Table  9.7.) 

OUTPUT:  128-bit  hash-code  of  x.  (See  Table  9.6  for  test  vectors.) 

1.  Definition  of  constants.  Define  four  32-bit  initial  chaining  values  (IVs): 

In  = 0x67452301,  h2  = 0xefcdab89,  h3  = 0x98badcfe,  h4  = 0x10325476. 

Define  additive  32-bit  constants: 
y\j]  = 0,  0 < j < 15; 

y [j\  = 0x5a827999,  16  < j < 31;  (constant  = square-root  of  2) 
y\j\  = 0x6ed9ebal,  32  < j < 47;  (constant  = square-root  of  3) 

Define  order  for  accessing  source  words  (each  list  contains  0 through  15): 
z[0..15]  = [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15], 
z[16..31]  = [0,  4, 8, 12, 1,  5, 9, 13,  2,  6, 10, 14,  3,  7, 11, 15], 

*[32..47]  = [0,  8, 4, 12,  2, 10,  6, 14, 1, 9,  5, 13,  3, 11,  7, 15]. 

Finally  define  the  number  of  bit  positions  for  left  shifts  (rotates): 
s[0..15]  = [3, 7, 11, 19, 3, 7, 11, 19, 3,  7, 11, 19, 3,  7, 11, 19], 
s[16..31]  = [3,  5, 9, 13, 3,  5, 9, 13, 3,  5, 9, 13, 3, 5, 9, 13], 
s[32..47]  = [3,9, 11, 15,3,9, 11, 15,3,9, 11, 15,3,9, 11, 15]. 

2.  Preprocessing.  Pad  x such  that  its  bitlength  is  a multiple  of  512,  as  follows.  Append 
a single  1-bit,  then  append  r — 1 (>  0)  0-bits  for  the  smallest  r resulting  in  a bitlength 
64  less  than  a multiple  of  5 12.  Finally  append  the  64-bit  representation  of  b mod  264, 
as  two  32-bit  words  with  least  significant  word  first.  (Regarding  converting  between 
streams  of  bytes  and  32-bit  words,  the  convention  is  little-endian;  see  Note  9.48.)  Let 
77i  be  the  number  of  512-bit  blocks  in  the  resulting  string  (b  + r + 64  = 512m  = 
32  • 16m).  The  formatted  input  consists  of  16m  32-bit  words:  xqXi  . . . xi6m_i.  Ini- 
tialize: {Hi,  Ho,  H3,  H4)  4-  (hi,h2,h3,h4). 

3.  Processing.  For  each  i from  0 to  m — 1,  copy  the  ith  block  of  16  32-bit  words  into 

temporary  storage:  X[j ] x4Qi+j,  0 < j < 15,  then  process  these  as  below  in 

three  16-step  rounds  before  updating  the  chaining  variables: 

( initialize  working  variables ) ( A , B , C,  D)  (Hi,  H2,  H3,  H4). 

(Round  1)  For  j from  0 to  15  do  the  following: 

t <-  (A  + f(B,  C,  D)  + X[z\j]]  + y[j]),  (A,  B,  C,  D)  «-  ( D,t  s\j\,B,  C). 
(Round  2)  For  j from  16  to  31  do  the  following: 

t <-  {A  + g(B , C,  D)  + X [z\j]\  + y[j]),  (A,  B,  C,  D)  (D,t  ^ s[j]),B , C). 
(Round  3)  For  j from  32  to  47  do  the  following: 

t <r-  (A  + h(B , C,  D)  + X[z\j ]]  + y\j]),  (A,  B,  C,  D)  n-  (D,t  ^ s[j]),B , C). 
(update  chaining  values ) (Hi,  H2,  H3,  Hf)  (H\  + A,  H2  + B,  H3  + C,  H4  + D). 

4.  Completion.  The  final  hash-value  is  the  concatenation:  H\  \ \H2  j \H3  \ \H4 
(with  first  and  last  bytes  the  low-  and  high-order  bytes  of  Hi.  H4,  respectively). 


9.50  Remark  (MD4  collisions)  Collisions  have  been  found  for  MD4  in  220  compression  func- 
tion computations  (cf.  Table  9.3).  For  this  reason,  MD4  is  no  longer  recommended  for  use 
as  a collision-resistant  hash  function.  While  its  utility  as  a one-way  function  has  not  been 
studied  in  light  of  this  result,  it  is  prudent  to  expect  a preimage  attack  on  MD4  requiring 
fewer  than  2 128  operations  will  be  found. 
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(ii)  MD5 

MD5  ( Algorithm  9.5 1 ) was  designed  as  a strengthened  version  of  MD4,  prior  to  actual  MD4 
collisions  being  found.  It  has  enjoyed  widespread  use  in  practice.  It  has  also  now  been 
found  to  have  weaknesses  (Remark  9.52). 

The  changes  made  to  obtain  MD5  from  MD4  are  as  follows: 

1.  addition  of  a fourth  round  of  16  steps,  and  a Round  4 function 

2.  replacement  of  the  Round  2 function  by  a new  function 

3.  modification  of  the  access  order  for  message  words  in  Rounds  2 and  3 

4.  modification  of  the  shift  amounts  (such  that  shifts  differ  in  distinct  rounds) 

5.  use  of  unique  additive  constants  in  each  of  the  4x16  steps,  based  on  the  integer  part 
of  232  • sin(j)  for  step  j (requiring  overall,  256  bytes  of  storage) 

6.  addition  of  output  from  the  previous  step  into  each  of  the  64  steps. 


9.51  Algorithm  MD5  hash  function 

INPUT:  bitstring  x of  arbitrary  bitlength  b > 0.  (For  notation,  see  Table  9.7.) 

OUTPUT:  128-bit  hash-code  of  x.  (See  Table  9.6  for  test  vectors.) 

MD5  is  obtained  from  MD4  by  making  the  following  changes. 

1.  Notation.  Replace  the  Round  2 function  by:  g(u,v,w)  =f  uw  V vw. 

Define  a Round  4 function:  k{u,  v,  w)d=  v 0 (u  V w). 

2.  Definition  of  constants.  Redefine  unique  additive  constants: 

y\j\  = first  32  bits  of  binary  value  abs(sin(j  + 1)),  0 < j < 63,  where  j is  in  radians 
and  “abs”  denotes  absolute  value.  Redefine  access  order  for  words  in  Rounds  2 and 
3,  and  define  for  Round  4: 

z[16..31]  = [1,  6, 11,  0,  5, 10, 15,  4, 9, 14, 3, 8, 13,  2,  7, 12], 

*[32.. 47]  = [5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15,  2], 

*[48.. 63]  = [0,  7, 14,  5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9], 

Redefine  number  of  bit  positions  for  left  shifts  (rotates): 
s[0..15]  = [7, 12, 17,  22,  7, 12, 17,  22,  7, 12, 17,  22,  7, 12, 17,  22], 
s[16..31]  = [5,  9, 14,  20,  5,  9, 14,  20,  5, 9, 14,  20,  5,  9, 14,  20], 
s[32..47]  = [4, 11, 16,  23, 4, 11, 16,  23,  4, 11, 16,  23,  4, 11, 16,  23], 
s[48..63]  = [6, 10, 15,  21,  6, 10, 15,  21,  6, 10, 15,  21,  6, 10, 15,  21]. 

3.  Preprocessing.  As  in  MD4. 

4.  Processing.  In  each  of  Rounds  1,  2,  and  3,  replace  “ii  <-  (f  U s[j])”  by  “B  < 
B + (i  s[j])”.  Also,  immediately  following  Round  3 add: 

(Round  4)  For  j from  48  to  63  do  the  following: 

t ^ (■ A+k(B , C,  D)+X[z\j]]+y\j]),  (A,  B , C,  D)  <-  (£>,  B+(t  ^ s[j]),  B,  C). 

5.  Completion.  As  in  MD4. 


9.52  Remark  (MD5  compression  function  collisions ) While  no  collisions  for  MD5  have  yet 
been  found  (cf.  Table  9.3),  collisions  have  been  found  for  the  MD5  compression  function. 
More  specifically,  these  are  called  collisions  for  random  IV.  (See  §9.7.2,  and  in  particular 
Definition  9.97  and  Note  9.98.) 
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(iii)  SHA-1 

The  Secure  Hash  Algorithm  (SHA-1),  based  on  MD4,  was  proposed  by  the  U.S.  National 
Institute  for  Standards  and  Technology  (NIST)  for  certain  U.S.  federal  government  appli- 
cations. The  main  differences  of  SHA-1  from  MD4  are  as  follows: 

1.  The  hash-value  is  160  bits,  and  five  (vs.  four)  32-bit  chaining  variables  are  used. 

2.  The  compression  function  has  four  rounds  instead  of  three,  using  the  MD4  step  func- 
tions /,  g.  and  h as  follows:  / in  the  first,  g in  the  third,  and  h in  both  the  second  and 
fourth  rounds.  Each  round  has  20  steps  instead  of  16. 

3.  Within  the  compression  function,  each  16-word  message  block  is  expanded  to  an  80- 
word  block,  by  a process  whereby  each  of  the  last  64  of  the  80  words  is  the  XOR  of 
4 words  from  earlier  positions  in  the  expanded  block.  These  80  words  are  then  input 
one-word-per-step  to  the  80  steps. 

4.  The  core  step  is  modified  as  follows:  the  only  rotate  used  is  a constant  5-bit  rotate; 
the  fifth  working  variable  is  added  into  each  step  result;  message  words  from  the  ex- 
panded message  block  are  accessed  sequentially;  and  C is  updated  as  B rotated  left 
30  bits,  rather  than  simply  B. 

5.  SHA-1  uses  four  non-zero  additive  constants,  whereas  MD4  used  three  constants 
only  two  of  which  were  non-zero. 

The  byte  ordering  used  for  converting  between  streams  of  bytes  and  32-bit  words  in  the 
official  SHA-1  specification  is  big-endian  (see  Note  9.48);  this  differs  from  MD4  which  is 
little-endian. 


9.53  Algorithm  Secure  Hash  Algorithm  - revised  (SHA-1) 

INPUT:  bitstring  x of  bitlength  b > 0.  (For  notation,  see  Table  9.7.) 

OUTPUT:  160-bit  hash-code  of  x.  (See  Table  9.6  for  test  vectors.) 

SHA-1  is  defined  (with  reference  to  MD4)  by  making  the  following  changes. 

1.  Notation.  As  in  MD4. 

2.  Definition  of  constants.  Define  a fifth  IV  to  match  those  in  MD4:  hz  = Oxc3d2elfO. 
Define  per-round  integer  additive  constants:  y\  = 0x5a827999,  y->  = 0x6ed9ebal, 
7/3  = 0x8flbbcdc,  2/4  = 0xca62cld6.  (No  order  for  accessing  source  words,  or  spec- 
ification of  bit  positions  for  left  shifts  is  required.) 

3.  Overall  preprocessing.  Pad  as  in  MD4,  except  the  final  two  32-bit  words  specifying 
the  bitlength  b is  appended  with  most  significant  word  preceding  least  significant. 
As  in  MD4,  the  formatted  input  is  16m  32-bit  words:  x^xi  . . . xi6m-i-  Initialize 
chaining  variables:  (Hi,  H2,  Hz,  Hi,  Hz)  (hi,li2,  hz,  I14,  hz). 

4.  Processing.  For  each  i from  0 to  to  — 1,  copy  the  ith  block  of  sixteen  32-bit  words 
into  temporary  storage:  X[j]  <—  x16i+j,  0 < j < 15,  and  process  these  as  below  in 
four  20-step  rounds  before  updating  the  chaining  variables: 

(expand  16-word  block  into  80-word  block;  let  Xj  denote  X[j]) 
for  j from  16  to  79,  Xj  t—  ((  Xj_3®Xj_8©Xj_i4®X,'_i6  ) 1). 

( initialize  working  variables)  (A,  B,  C,  D,  E ) «—  (Hi,  H> , Hz,  H 4,  Hz). 

{Round  1)  For  j from  0 to  19  do  the  following: 
t <•  ((A  5)  + f(B,  C,D)+E  + Xj  + yi), 

(A,  B,  C,  D,  E)  -e-  (; t , A,  B 30,  C,  D). 

(Round  2)  For  j from  20  to  39  do  the  following: 
t <-  ((A  5)  + h(B,  C,D)  + E + Xj  + y2), 

(A,  B,  C,  D,  E)  (t,  A,  B 30,  C,  D). 
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(Round  3)  For  j from  40  to  59  do  the  following: 
t 4—  ((A  5 5)  + g(B,  C,  D)  + E + Xj  + y3), 

(A,  B,  C,  D,  E)  <-  (f,  A,B  ^ 30,  C,  D ). 

(Round  4)  For  j from  60  to  79  do  the  following: 
t i — ((.A  5 5)  + h(B,  C,  D)  + E + Xj  + yf), 

(A,  B,  C,  D,  E)  4-  (t,  A,B  30,  C,  D). 

(update  chaining  values ) 

{Hi,  H2,  H3j  H4,  H5)  4-  {Hi  +A,H2+  B,  H3  +C,H4+  D,  H5  + E). 

5.  Completion.  The  hash-value  is:  Hi\\H2\\H3\\H4,\\H3 

(with  first  and  last  bytes  the  high-  and  low-order  bytes  of  Hi,  fir,,  respectively). 


9.54  Remark  (security  ofSHA-1)  Compared  to  128-bit  hash  functions,  the  160-bit  hash-value 
of  SFIA-1  provides  increased  security  against  brute-force  attacks.  SFIA-1  and  RIPEMD- 
160  (see  §9.4.2(iv))  presently  appear  to  be  of  comparable  strength;  both  are  considered 
stronger  than  MD5  (Remark  9.52).  In  SHA-1,  a significant  effect  of  the  expansion  of  16- 
word  message  blocks  to  80  words  in  the  compression  function  is  that  any  two  distinct  16- 
word  blocks  yield  80-word  values  which  differ  in  a larger  number  of  bit  positions,  signif- 
icantly expanding  the  number  of  bit  differences  among  message  words  input  to  the  com- 
pression function.  The  redundancy  added  by  this  preprocessing  evidently  adds  strength. 

(iv)  RIPEMD-1 60 

RIPEMD-160  (Algorithm  9.55)  is  a hash  function  based  on  MD4,  taking  into  account 
knowledge  gained  in  the  analysis  of  MD4,  MD5,  and  RIPEMD.  The  overall  RIPEMD-160 
compression  function  maps  21-word  inputs  (5-word  chaining  variable  plus  16-word  mes- 
sage block,  with  32-bit  words)  to  5-word  outputs.  Each  input  block  is  processed  in  parallel 
by  distinct  versions  (the  left  line  and  right  line)  of  the  compression  function.  The  160-bit 
outputs  of  the  separate  lines  are  combined  to  give  a single  160-bit  output. 


Notation 

Definition 

f(u,v,w) 
g(u,  v,  w) 
h(u,  v , w) 
k(u,  v , w ) 
l(u , V,  w ) 

u(Bv(Bw 
uv  V uw 
(■ u V v)(Bw 
uw  V vw 
u®{v  V w) 

Table  9.8:  RIPEMD-160  round  function  definitions. 

The  RIPEMD-160  compression  function  differs  from  MD4  in  the  number  of  words  of 
chaining  variable,  the  number  of  rounds,  the  round  functions  themselves  (Table  9.8),  the 
order  in  which  the  input  words  are  accessed,  and  the  amounts  by  which  results  are  rotated. 
The  left  and  and  right  computation  lines  differ  from  each  other  in  these  last  two  items,  in 
their  additive  constants,  and  in  the  order  in  which  the  round  functions  are  applied.  This  de- 
sign is  intended  to  improve  resistance  against  known  attack  strategies.  Each  of  the  parallel 
lines  uses  the  same  IV  as  SHA- 1 . When  writing  the  IV  as  a bitstring,  little-endian  ordering 
is  used  for  RIPEMD-160  as  in  MD4  (vs.  big-endian  in  SHA-1;  see  Note  9.48). 


Handbook  of  Applied  Cryptography  by  A.  Menezes,  P.  van  Oorschot  and  S.  Vanstone. 


350 


Ch.  9 Hash  Functions  and  Data  Integrity 


9.55  Algorithm  RIPEMD-1 60  hash  function 
INPUT:  bitstring  x of  bitlength  h > 0. 

OUTPUT:  160-bit  hash-code  of  x.  (See  Table  9.6  for  test  vectors.) 

RIPEMD-160  is  defined  (with  reference  to  MD4)  by  making  the  following  changes. 

1.  Notation.  See  Table  9.7,  with  MD4  round  functions  /,  g,  h redefined  per  Table  9.8 
(which  also  defines  the  new  round  functions  k , /). 

2.  Definition  of  constants.  Define  a fifth  IV:  hr,  — Oxc3d2elfO.  In  addition: 

(a)  Use  the  MD4  additive  constants  for  the  left  line,  renamed:  yp[j]  = 0,  0 < j < 
15;  yL\j\  = 0x5a827999,  16  < j < 31;  yL\j]  = 0x6ed9ebal,  32  < j < 47. 
Define  two  further  constants  (square  roots  of  5,7):  yp  [j]  = 0x8flbbcdc,  48  < 
j < 63;  yL[j]  = 0xa953fd4e,  64  < j < 79. 

(b)  Define  five  new  additive  constants  for  the  right  line  (cube  roots  of  2, 3,5, 7): 
yn\j\  = 0x50a28be6,  0 < j < 15;  yR\j]  = 0x5c4ddl24, 16  < j < 31; 
yR\j]  = 0x6d703ef3,  32  < j < 47;  yR[j]  = 0x7a6d76e9,  48  < j < 63; 
yR[j]  = 0,  64  < j < 79. 

(c)  See  Table  9.9  for  constants  for  step  j of  the  compression  function:  zp  [j] , zR  [j] 
specify  the  access  order  for  source  words  in  the  left  and  right  lines;  sp  [j],  sR  [j] 
the  number  of  bit  positions  for  rotates  (see  below). 

3.  Preprocessing.  As  in  MD4,  with  addition  of  a fifth  chaining  variable:  Hr  4-  hr- 

4.  Processing.  For  each  i from  0 to  to  — 1,  copy  the  ith  block  of  sixteen  32-bit  words 
into  temporary  storage:  X\j]  <—  xiq i+j,  0 < j < 15.  Then: 

(a)  Execute  five  16-step  rounds  of  the  left  line  as  follows: 

(Al,Bl,Cl,Dl,El)  (Hp  H,,  H:i,  H4,  Hr). 

(left  Round  1)  For  j from  0 to  15  do  the  following: 

t ^(Al  + f(BL , CL,  Dl)  + X[zL\j]]  + yL\j]), 

( Al , Bl,Cl,  Dl,  El)  •<-  ( El , El  + (f  sl[j]),  BLl  Cl  ^ 10,  DL). 

(left  Round  2)  For  j from  16  to  31  do  the  following: 
t {Al  + Cl , Dl)  + ^[zi[j]]  + Vl[ j]), 

{Al,  Bl,  Cl,  Dl,  El)  {El,  El  + (t  sl[j]),  Bl,  Cl  ^ 10,  Dl)- 
(left  Round  3)  For  j from  32  to  47  do  the  following: 
t f*{ Al+  h{BL,  CL,  Dl)  + X\zL\j]}  + yL[j]), 

{Al,  Bl,  Cl,Dl,  El)  *-  {EL,  Eti  - (/.  < 5 Si[j]),  BL,  Cl  10,  Dl )• 

(left  Round  4)  For  j from  48  to  63  do  the  following: 
t {Al  + k{BL,  Cl,  Dl)  + X[z£[j]]  + yp\j]), 

{Al,  Bl,Cl,  Dl,  El)  4-  {EL,  Ep  : (/.  <-■  sl[j]),  Bl,  Cl  ^ 10,  Dl). 

(left  Round  5)  For  j from  64  to  79  do  the  following: 
t <-  (. Al+  1{Bl,  Cl,  Dl)  + X[zL[j}}  + yL[j]), 

{ Al,Bl , Cl,Dl,  El)  4~  {El,  El  + (<«-“  sL[j]),  BL,  Cl  4-^  10,  Dl). 

(b)  Execute  in  parallel  with  the  above  five  rounds  an  analogous  right  line  with 
{Ar,  Br,  Cr,  Dr,  Er),  yR[j\,  zR[j),  sR[j]  replacing  the  corresponding  quan- 
tities with  subscript  L\  and  the  order  of  the  round  functions  reversed  so  that  their 
order  is:  l , k,  h,  g , and  /.  Start  by  initializing  the  right  line  working  variables: 
{Ar,  Br,  Cr,  Dr,  Er)  4-  {Hy,Hi,  H3,H4,  //,). 

(c)  After  executing  both  the  left  and  right  lines  above,  update  the  chaining  values 
as  follows:  t 4-  Hi.  Hi  4-  H2  + Cl  + Dr.  H2  4-  H3  + DL  + Er.  H3  4- 
H4  + El  + Ar,  H4  -4-  Hr  + Ap  + Br.  Hr  4-  t + Bl  + Cr. 

5.  Completion.  The  final  hash-value  is  the  concatenation:  Hi\\H2\ \H3  \ \H4  \ \Hr 
(with  first  and  last  bytes  the  low-  and  high-order  bytes  of  Hi,  Hr,  respectively). 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§9.4  Unkeyed  hash  functions  (MDCs) 


351 


Variable 

Value 

ZL 

[ o. 

.15] 

[ 0, 

1, 

2, 

3, 

4, 

5, 

6, 

7, 

8, 

9, 

10, 

11, 

12, 

13, 

14, 

15] 

ZL 

[16. 

.31] 

[ 7, 

4, 

13, 

1, 

10, 

6, 

15, 

3, 

12, 

0, 

9, 

5, 

2, 

14, 

11, 

8] 

ZL 

[32  . 

.47] 

[ 3, 

10, 

14, 

4, 

9, 

15, 

8, 

1, 

2, 

7, 

0, 

6, 

13, 

11, 

5, 

12] 

ZL 

[48  . 

. 63] 

[ 1, 

9, 

11, 

10, 

0, 

8, 

12, 

4, 

13, 

3, 

7, 

15, 

14, 

5, 

6, 

2] 

ZL 

[64  . 

.79] 

[ 4, 

0, 

5, 

9, 

7, 

12, 

2, 

10, 

14, 

1, 

3, 

8, 

11, 

6, 

15, 

13] 

ZR 

[ 0. 

.15] 

[ 5, 

14, 

7, 

0, 

9, 

2, 

11, 

4, 

13, 

6, 

15, 

8, 

1, 

10, 

3, 

12] 

ZR 

[16. 

.31] 

[ 6, 

11, 

3, 

7, 

0, 

13, 

5, 

10, 

14, 

15, 

8, 

12, 

4, 

9, 

1, 

2] 

ZR 

[32  . 

.47] 

[15, 

5, 

1, 

3, 

7, 

14, 

6, 

9, 

11, 

8, 

12, 

2, 

10, 

0, 

4, 

13] 

ZR 

[48  . 

. 63] 

[ 8, 

6, 

4, 

1, 

3, 

11, 

15, 

0, 

5, 

12, 

2, 

13, 

9, 

7, 

10, 

14] 

ZR 

[64  . 

.79] 

[12, 

15, 

10, 

4, 

1, 

5, 

8, 

7, 

6, 

2, 

13, 

14, 

0, 

3, 

9, 

11] 

SL 

[ 0. 

.15] 

[11, 

14, 

15, 

12, 

5, 

8, 

7, 

9, 

11, 

13, 

14, 

15, 

6, 

7, 

9, 

8] 

SL 

[16. 

.31] 

[ 7, 

6, 

8, 

13, 

11, 

9, 

7, 

15, 

7, 

12, 

15, 

9, 

11, 

7, 

13, 

12] 

SL 

[32  . 

.47] 

[11, 

13, 

6, 

7, 

14, 

9, 

13, 

15, 

14, 

8, 

13, 

6, 

5, 

12, 

7, 

5] 

SL 

[48  . 

. 63] 

[11, 

12, 

14, 

15, 

14, 

15, 

9, 

8, 

9, 

14, 

5, 

6, 

8, 

6, 

5, 

12] 

SL 

[64  . 

.79] 

[ 9, 

15, 

5, 

11, 

6, 

8, 

13, 

12, 

5, 

12, 

13, 

14, 

11, 

8, 

5, 

6] 

SR 

[ 0. 

.15] 

[ 8, 

9, 

9, 

11, 

13, 

15, 

15, 

5, 

7, 

7, 

8, 

11, 

14, 

14, 

12, 

6] 

SR 

[16. 

.31] 

[ 9, 

13, 

15, 

7, 

12, 

8, 

9, 

11, 

7, 

7, 

12, 

7, 

6, 

15, 

13, 

11] 

SR 

[32  . 

.47] 

[ 9, 

7, 

15, 

11, 

8, 

6, 

6, 

14, 

12, 

13, 

5, 

14, 

13, 

13, 

7, 

5] 

SR 

[48  . 

. 63] 

[15, 

5, 

8, 

11, 

14, 

14, 

6, 

14, 

6, 

9, 

12, 

9, 

12, 

5, 

15, 

8] 

SR 

[64  . 

.79] 

[ 8, 

5, 

12, 

9, 

12, 

5, 

14, 

6, 

8, 

13, 

6, 

5, 

15, 

13, 

11, 

11] 

Table  9.9:  RIPEMD-160  word-access  orders  and  rotate  counts  (cf  Algorithm  9.55). 


9.4.3  Hash  functions  based  on  modular  arithmetic 

The  basic  idea  of  hash  functions  based  on  modular  arithmetic  is  to  construct  an  iterated 
hash  function  using  mod  M arithmetic  as  the  basis  of  a compression  function.  Two  moti- 
vating factors  are  re-use  of  existing  software  or  hardware  (in  public-key  systems)  for  mod- 
ular arithmetic,  and  scalability  to  match  required  security  levels.  Significant  disadvantages, 
however,  include  speed  (e.g.,  relative  to  the  customized  hash  functions  of  §9.4.2),  and  an 
embarrassing  history  of  insecure  proposals. 

MASH 

MASH-1  (Modular  Arithmetic  Secure  Hash,  algorithm  1)  is  a hash  function  based  on  mod- 
ular arithmetic.  It  has  been  proposed  for  inclusion  in  a draft  ISO/IEC  standard.  MASH-1 
involves  use  of  an  RSA-like  modulus  M,  whose  bitlength  affects  the  security.  M should 
be  difficult  to  factor,  and  for  M of  unknown  factorization,  the  security  is  based  in  part  on 
the  difficulty  of  extracting  modular  roots  (§3.5.2).  The  bitlength  of  M also  determines  the 
blocksize  for  processing  messages,  and  the  size  of  the  hash-result  (e.g.,  a 1025-bit  modulus 
yields  a 1024-bit  hash-result).  As  a recent  proposal,  its  security  remains  open  to  question 
(page  381).  Techniques  for  reducing  the  size  of  the  final  hash-result  have  also  been  pro- 
posed, but  their  security  is  again  undetermined  as  yet. 
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9.56  Algorithm  MASH-1  (version  of  Nov.  1995) 

INPUT:  data  x of  bitlength  0 < b < 2™/2. 

OUTPUT:  n-bit  hash  of  x ( n is  approximately  the  bitlength  of  the  modulus  M). 

1 . System  setup  and  constant  definitions.  Fix  an  RS  A-like  modulus  M = pq  of  bitlength 
m,  where  p and  q are  randomly  chosen  secret  primes  such  that  the  factorization  of 
M is  intractable.  Define  the  bitlength  n of  the  hash-result  to  be  the  largest  multiple 
of  16  less  than  m (i.e.,  n = 16n'  < m).  Hq  = 0 is  defined  as  an  IV,  and  an  n- 
bit  integer  constant  A = OxfO. . . 0.  “V”  denotes  bitwise  inclusive-OR;  “©”  denotes 
bitwise  exclusive-OR. 

2.  Padding,  blocking,  and  MD- strengthening.  Pad  x with  0-bits,  if  necessary,  to  obtain 
a string  ofbitlength  t-n/2  forthe  smallest  possible  t > 1.  Divide  the  padded  text  into 
(n/2)-bit  blocks  x\,. ..  ,xt,  and  append  a final  block  xt+ 1 containing  the  (n/2)-bit 
representation  of  b. 

3.  Expansion.  Expand  each  x,  to  an  n-bit  block  y,  by  partitioning  it  into  (4-bit)  nibbles 
and  inserting  four  1-bits  preceding  each,  except  for  yt+i  wherein  the  inserted  nibble 
is  1010  (not  1111). 

4.  Compression  function  processing.  Fori  < i < f+l,maptwon-bitinputs(JTj_i,r/j) 
to  one  n-bit  output  as  follows:  Hi  ((((fT,_i0?/j)  V A)2  mod  M)  H ?r)©fJ,_i. 
Here  H n denotes  keeping  the  rightmost  n bits  of  the  m-bit  result  to  its  left. 

5.  Completion.  The  hash  is  the  /(-bit  block  Hi  \. 


MASH-2  is  defined  as  per  MASH-1  with  the  exponent  e = 2 used  for  squaring  in  the 
compression  function  processing  stage  (step  4)  replaced  with  e = 28  + 1. 


9.5  Keyed  hash  functions  (MACs) 

Keyed  hash  functions  whose  specific  purpose  is  message  authentication  are  called  message 
authentication  code  (MAC)  algorithms.  Compared  to  the  large  number  of  MDC  algorithms, 
prior  to  1995  relatively  few  MAC  algorithms  had  been  proposed,  presumably  because  the 
original  proposals,  which  were  widely  adopted  in  practice,  were  adequate.  Many  of  these 
are  for  historical  reasons  block-cipher  based.  Those  with  relatively  short  MAC  bitlengths 
(e.g.,  32-bits  for  MAA)  or  short  keys  (e.g.,  56  bits  for  MACs  based  on  DES-CBC)  may  still 
offer  adequate  security,  depending  on  the  computational  resources  available  to  adversaries, 
and  the  particular  environment  of  application. 

Many  iterated  MACs  can  be  described  as  iterated  hash  functions  (see  Figure  9.2,  and 
equation  (9.1)  on  page  333).  In  this  case,  the  MAC  key  is  generally  part  of  the  output  trans- 
formation <y;  it  may  also  be  an  input  to  the  compression  function  in  the  first  iteration,  and 
be  involved  in  the  compression  function  / at  every  stage. 

Fact  9.57  is  a general  result  giving  an  upper  bound  on  the  security  of  MACs. 

9.57  Fact  ( birthday  attack  on  MACs)  Let  h be  a MAC  algorithm  based  on  an  iterated  com- 
pression function,  which  has  n bits  of  internal  chaining  variable,  and  is  deterministic  (i.e., 
the  m-bit  result  is  fully  determined  by  the  message).  Then  MAC  forgery  is  possible  using 
0(  2"/2)  known  text-MAC  pairs  plus  a numbers  of  chosen  text-MAC  pairs  which  (depend- 
ing on  h)  is  between  1 and  about  2n~m. 
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9.5.1  MACs  based  on  block  ciphers 

CBC-based  MACs 

The  most  commonly  used  MAC  algorithm  based  on  a block  cipher  makes  use  of  cipher- 
block-chaining  (§7. 2.2(h)).  When  DES  is  used  as  the  block  cipher  E,  n = 64  in  what  fol- 
lows, and  the  MAC  key  is  a 56-bit  DES  key. 


9.58  Algorithm  CBC-MAC 

INPUT:  data  x;  specification  of  block  cipher  E\  secret  MAC  key  k for  E. 

OUTPUT:  n-bit  MAC  on  x (n  is  the  blocklength  of  E ). 

1.  Padding  and  blocking.  Pad  x if  necessary  (e.g.,  using  Algorithm  9.30).  Divide  the 
padded  text  into  n-bit  blocks  denoted  xi , . . . , xt . 

2.  CBC  processing.  Letting  E),  denote  encryption  using  E with  key  k.  compute  the 
block  Ht  as  follows:  Hi  Ek(xi)\  Hi  <—  Efc(Tf,_i0x,j),  2 < i < t.  (This  is 
standard  cipher-block-chaining,  IV  = 0,  discarding  ciphertext  blocks  C,  = Hi.) 

3.  Optional  process  to  increase  strength  of  MAC.  Using  a second  secret  key  k'  f k, 
optionally  compute:  H't  <—  EsT,1(iTt),  Ht  <—  Ek{H't).  (This  amounts  to  using  two- 
key  triple-encryption  on  the  last  block;  see  Remark  9.59.) 

4.  Completion.  The  MAC  is  the  n-bit  block  H) . 


x i x2  x3  xt 


H 


Figure  9.6:  CBC-based  MAC  algorithm. 

For  CBC-MAC  with  n = 64  = m.  Fact  9.57  applies  with  v = 1. 

9.59  Remark  (CBC-MAC  strengthening)  The  optional  process  reduces  the  threat  of  exhaus- 
tive key  search,  and  prevents  chosen-text  existential  forgery  (Example  9.62),  without  im- 
pacting the  efficiency  of  the  intermediate  stages  as  would  using  two-key  triple-encryption 
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throughout.  Alternatives  to  combat  such  forgery  include  prepending  the  input  with  a length 
block  before  the  MAC  computation;  or  using  key  K to  encrypt  the  length  m yielding  K'  — 
Ek (m),  before  using  K'  as  the  key  to  MAC  the  message. 

9.60  Remark  ( truncated  MAC  outputs)  Exhaustive  attack  may,  depending  on  the  unicity  dis- 
tance of  the  MAC,  be  precluded  (information-theoretically)  by  using  less  than  n bits  of  the 
final  output  as  the  m-bit  MAC.  (This  must  be  traded  off  against  an  increase  in  the  proba- 
bility of  randomly  guessing  the  MAC;  2 m.)  For  m = 32  and  E — DES,  an  exhaustive 
attack  reduces  the  key  space  to  about  224  possibilities.  However,  even  for  m < n,  a second 
text-MAC  pair  almost  certainly  determines  a unique  MAC  key. 

9.61  Remark  ( CBC-MACIV ) While  a random  IV  in  CBC  encryption  serves  to  prevent  a code- 
book attack  on  the  first  ciphertext  block,  this  is  not  a concern  in  a MAC  algorithm. 

9.62  Example  {existential  forgery  of  CBC -MAC)  While  CBC-MAC  is  secure  for  messages  of 
a fixed  number  t of  blocks,  additional  measures  (beyond  simply  adding  a trailing  length- 
block)  are  required  if  variable  length  messages  are  allowed,  otherwise  (adaptive  chosen- 
text)  existential  forgery  is  possible  as  follows.  Assume  x*  is  an  n-bit  block,  and  let  l_b 
denote  the  n-bit  binary  representation  of  b.  Let  (xi,  Mi)  be  a known  text-MAC  pair,  and 
request  the  MAC  M2  for  the  one -block  message  x2  = Mi;  then  M2  = Ek(Ek(xi)) 
is  also  the  MAC  for  the  2-block  message  (xi||_L0).  As  a less  trivial  example,  given  two 
known  text-MAC  pairs  (xi,  JTi),  (x2,  H2)  for  one-block  messages  xi,x2,  and  request- 
ing the  MAC  M on  a chosen  2-block  third  message  (xi \\z)  for  a third  text-MAC  pair 
((xi  z).  M),  then  Eli  = Ek{xi),  M = Ek{H\(Bz),  and  the  MAC  for  the  new  2-block 
message  X = x2|j(fTi0z0fT2)  is  known  - it  is  M also.  Moreover,  MD-strengthening 
(Algorithm  9.26)  does  not  address  the  problem:  assume  padding  by  Algorithm  9.29,  re- 
place the  third  message  above  by  the  3-block  message  (xi  | |_L64|  | z),  note 

Hi  = Ek{Ek(Xi)®± 64),  M3  = Ek{Ek{Ek{Ek(Xl)(B  I 64)02)0.;  192), 
and  Ms  is  also  the  MAC  for  the  new  3-block  message  X = (x2 1 |_L64|  jiT{0iT20z).  □ 

9.63  Example  ( RIPE-MAC)  RIPE-MAC  is  a variant  of  CBC-MAC.  Two  versions  RIPE- 

MAC1  and  RIPE-MAC3,  both  producing  64-bit  MACs,  differ  in  their  internal  encryption 
function  E being  either  single  DES  or  two-key  triple-DES,  respectively,  requiring  a 56- 
or  112-bit  key  k (cf.  Remark  9.59).  Differences  from  Algorithm  9.58  are  as  follows;  the 
compression  function  uses  a non-invertible  chaining  best  described  as  CBC  with  data  feed- 
forward: Hi  <—  .E),(fT,_i0Xj)0Xj;  after  padding  using  Algorithm  9.30,  a final  64-bit 
length-block  (giving  bitlength  of  original  input)  is  appended;  the  optional  process  of  Al- 
gorithm 9.58  is  mandatory  with  final  output  block  encrypted  using  key  k'  derived  by  com- 
plementing alternating  nibbles  of  k:  for  k = ko  . . . k(j:i  a 56-bit  DES  key  with  parity  bits 
k7k15  , . . k63,  k!  = k © OxfOfOfOfOfOfOfOfO.  □ 


9.5.2  Constructing  MACs  from  MDCs 

A common  suggestion  is  to  construct  a MAC  algorithm  from  an  MDC  algorithm,  by  simply 
including  a secret  key  k as  part  of  the  MDC  input.  A concern  with  this  approach  is  that 
implicit  but  unverified  assumptions  are  often  made  about  the  properties  that  MDCs  have; 
in  particular,  while  most  MDCs  are  designed  to  provide  one-wayness  or  collision  resistance. 
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the  requirements  of  a MAC  algorithm  differ  (Definition  9.7).  Even  in  the  case  that  a one- 
way hash  function  precludes  recovery  of  a secret  key  used  as  a partial  message  input  (cf. 
partial-preimage  resistance,  page  331),  this  does  not  guarantee  the  infeasibility  of  producing 
MACs  for  new  inputs.  The  following  examples  suggest  that  construction  of  a MAC  from 
a hash  function  requires  careful  analysis. 

9.64  Example  (secret prefix  method)  Consider  a message  x = xix-> . . . xt  and  an  iterated  MDC 

h with  compression  function  /,  with  definition:  Hq  = IV,  Hi  = Xj);  h(x)  = 

Hf.  (1)  Suppose  one  attempts  to  use  h as  a MAC  algorithm  by  prepending  a secret  key  fc, 
so  that  the  proposed  MAC  on  x is  M = h(k\\x).  Then,  extending  the  message  x by  an 
arbitrary  single  block  y,  one  may  deduce  M'  = h(k\\x\\y)  as  f(M,y)  without  knowing 
the  secret  key  k (the  original  MAC  M serves  as  chaining  variable).  This  is  true  even  for 
hash  functions  whose  preprocessing  pads  inputs  with  length  indicators  (e.g.,  MD5);  in  this 
case,  the  padding/length-block  z for  the  original  message  x would  appear  as  part  of  the 
extended  message,  x\ \%\\y,  but  a forged  MAC  on  the  latter  may  nonetheless  be  deduced.  (2) 
For  similar  reasons,  it  is  insecure  to  use  an  MDC  to  construct  a MAC  algorithm  by  using  the 
secret  MAC  key  k as  IV.  If  k comprises  the  entire  first  block,  then  for  efficiency  f (IV.  k) 
may  be  precomputed,  illustrating  that  an  adversary  need  only  find  a k'  (not  necessarily  k) 
such  that  f(IV,  k)  = f(IV,  k')\  this  is  equivalent  to  using  a secret  IV.  □ 

9.65  Example  ( secret  suffix  method)  An  alternative  proposal  is  to  use  a secret  key  as  a suffix, 

i.e.,  the  n-bit  MAC  on  x is  M = h(x\\k).  In  this  case,  a birthday  attack  applies  (§9.7.1). 
An  adversary  free  to  choose  the  message  x (or  a prefix  thereof)  may,  in  0(  2“/2  ) operations, 
find  a pair  of  messages  x,  x'  for  which  h(x)  = h(x').  (This  can  be  done  off-line,  and  does 
not  require  knowledge  of  fc;  the  assumption  here  is  that  n is  the  size  of  both  the  chaining 
variable  and  the  final  output.)  Obtaining  a MAC  M on  x by  legitimate  means  then  allows 
an  adversary  to  produce  a correct  text-MAC  pair  (x',  M ) for  a new  message  x'.  Note  that 
this  method  essentially  hashes  and  then  encrypts  the  hash-value  in  the  final  iteration;  in  this 
weak  form  of  MAC,  the  MAC-value  depends  only  on  the  last  chaining  value,  and  the  key 
is  used  in  only  one  step.  □ 

The  above  examples  suggest  that  a MAC  key  should  be  involved  at  both  the  start  and 
the  end  of  MAC  computations,  leading  to  Example  9.66. 

9.66  Example  ( envelope  method  with  padding)  For  a key  k and  MDC  h,  compute  the  MAC 

on  a message  x as:  (ifc(x)  = h{k  \ \p  1 1 x ||  k).  Here  p is  a string  used  to  pad  k to  the  length 
of  one  block,  to  ensure  that  the  internal  computation  involves  at  least  two  iterations.  For 
example,  if  h is  MD5  and  k is  128  bits,  p is  a 384-bit  pad  string.  □ 

Due  to  both  a certificational  attack  against  the  MAC  construction  of  Example  9.66  and 
theoretical  support  for  that  of  Example  9.67  (see  page  382),  the  latter  construction  is  fa- 
vored. 

9.67  Example  ( hash-based  MAC)  For  a key  k and  MDC  h,  compute  the  MAC  on  a message 

x as  HMAC(x)  = h(k  | j pi  j | h(k  \ p->  1 1 x)),  where  pi,  P2  are  distinct  strings  of  sufficient 
length  to  pad  k out  to  a full  block  for  the  compression  function.  The  overall  construction  is 
quite  efficient  despite  two  calls  to  h,  since  the  outer  execution  processes  only  (e.g.,  if  h is 
MD5)  a two-block  input,  independent  of  the  length  of  x.  □ 

Additional  suggestions  for  achieving  MAC-like  functionality  by  combining  MDCs  and 
encryption  are  discussed  in  §9.6.5. 


Handbook  of  Applied  Cryptography  by  A.  Menezes,  P.  van  Oorschot  and  S.  Vanstone. 


356 


Ch.  9 Hash  Functions  and  Data  Integrity 


9.5.3  Customized  MACs 

Two  algorithms  designed  for  the  specific  purpose  of  message  authentication  are  discussed 
in  this  section:  MAA  and  MD5-MAC. 

Message  Authenticator  Algorithm  (MAA) 

The  Message  Authenticator  Algorithm  (MAA),  dating  from  1983,  is  a customized  MAC 
algorithm  for  32-bit  machines,  involving  32-bit  operations  throughout.  It  is  specified  as 
Algorithm  9.68  and  illustrated  in  Figure  9.7.  The  main  loop  consists  of  two  parallel  inter- 
dependent streams  of  computation.  Messages  are  processed  in  4-byte  blocks  using  8 bytes 
of  chaining  variable.  The  execution  time  (excluding  key  expansion)  is  proportional  to  mes- 
sage length;  as  a rough  guideline,  MAA  is  twice  as  slow  as  MD4. 


9.68  Algorithm  Message  Authenticator  Algorithm  (MAA) 

INPUT:  data  x of  bitlength  32 j,  1 < j < 106;  secret  64-bit  MAC  key  Z = Z[lj..Z[8]. 
OUTPUT:  32-bit  MAC  on  x. 

1.  Message-independent  key  expansion.  Expand  key  Z to  six  32-bit  quantities  X , Y,  V, 
W,  S,  T ( X , Y are  initial  values;  V.  W are  main  loop  variables;  l S',  T are  appended 
to  the  message)  as  follows. 

1.1  First  replace  any  bytes  0x00  or  Oxff  in  Z as  follows.  P 4—  0;  for  i from  1 to  8 
(P  4-  2 P;  if  Z \i\  = 0x00  or  Oxff  then  (P  4-  P + 1;  Z[i]  4-  Z[i\  OR  P )). 

1.2  Let  J and  K be  the  first  4 bytes  and  last  4 bytes  of  Z,  and  compute:4 
X f J4  (mod  232  - 1)0  J4  (mod  232  - 2) 

Y 4-  [K5  (mod  232  - 1)©A'5  (mod  232  - 2)](1  + P )2  (mod  232  - 2) 

V 4-  J6  (mod  232  - 1)0  J6  (mod  232  - 2) 

W 4-  K7  (mod  232  - 1)©X7  (mod  232  - 2) 

S 4-  J8  (mod  232  - 1)0 J8  (mod  232  - 2) 

T 4-  K9  (mod  232  - 1)©X9  (mod  232  - 2) 

1 .3  Process  the  3 resulting  pairs  ( X , Y),  ( V , W),  ( S , T)  to  remove  any  bytes  0x00, 
Oxff  as  for  Z earlier.  Define  the  AND-OR  constants:  A = 0x02040801,  B = 
0x00804021,  C = 0xbfef7fdf,  D = 0x7dfefbff. 

2.  Initialization  and  preprocessing.  Initialize  the  rotating  vector:  v 4-  V.  and  the  chain- 
ing variables:  Hi  4-  X,  H>  4-  Y.  Append  the  key-derived  blocks  S.  T to  x,  and 
let  xi . . . Xt  denote  the  resulting  augmented  segment  of  32-bit  blocks.  (The  final  2 
blocks  of  the  segment  thus  involve  key-derived  secrets.) 

3.  Block  processing.  Process  each  32-bit  block  x*  (for  i from  1 to  t)  as  follows. 

v 4—  (v  © 1),  U < (<.’0lU) 

h 4-  {Hx®Xi)  X!  (((//20x,)  + U)  OR  A)  AND  C) 
t2  4-  (iT20Xi)  x 2 (((//i0x,)  + U)  OR  B)  AND  D) 

H\  4-  ti,  H‘2  4 - f2 

where  x , denotes  special  multiplication  mod  232  — i as  noted  above  (i  = 1 or  2); 
“+”  is  addition  mod  232;  and  “4^  1”  denotes  rotation  left  one  bit.  (Each  combined 
AND-OR  operation  on  a 32-bit  quantity  sets  4 bits  to  1,  and  4 to  0,  precluding  0- 
multipliers.) 

4.  Completion.  The  resulting  MAC  is:  H = Hi(tH>. 


4In  ISO  8731-2.  a well-defined  but  unconventional  definition  of  multiplication  mod  232  — 2 is  specified,  pro- 
ducing 32-bit  results  which  in  some  cases  are  232  — 1 or  232  — 2;  for  this  reason,  specifying  e.g.,  J6  here  may 
be  ambiguous;  the  standard  should  be  consulted  for  exact  details. 
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Figure  9.7:  The  Message  Authenticator  Algorithm  (MAA). 


Since  the  relatively  complex  key  expansion  stage  is  independent  of  the  message,  a one- 
time computation  suffices  for  a fixed  key.  The  mixing  of  various  operations  (arithmetic  mod 
232  — i,  for  i — 0.1  and  2;  XOR;  and  nonlinear  AND-OR  computations)  is  intended  to 
strengthen  the  algorithm  against  arithmetic  cryptanalytic  attacks. 

MD5-MAC 

A more  conservative  approach  (cf.  Example  9.66)  to  building  a MAC  from  an  MDC  is  to 
arrange  that  the  MAC  compression  function  itself  depend  on  k,  implying  the  secret  key  be 
involved  in  all  intervening  iterations;  this  provides  additional  protection  in  the  case  that 
weaknesses  of  the  underlying  hash  function  become  known.  Algorithm  9.69  is  such  a tech- 
nique, constructed  using  MD5.  It  provides  performance  close  to  that  of  MD5  (5-20%  slower 
in  software). 
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9.69  Algorithm  MD5-MAC 

INPUT:  bitstring  x of  arbitrary  bitlength  b>  0;  key  k of  bitlength  < 128. 

OUTPUT:  64-bit  MAC- value  of  x. 

MD5-MAC  is  obtained  from  MD5  (Algorithm  9.51)  by  the  following  changes. 

1.  Constants.  The  constants  U,  and  T,  are  as  defined  in  Example  9.70. 

2.  Key  expansion. 

(a)  If  k is  shorter  than  128  bits,  concatenate  k to  itself  a sufficient  number  of  times, 
and  redefine  k to  be  the  leftmost  128  bits. 

(b)  Let  MD5  denote  MD5  with  both  padding  and  appended  length  omitted.  Expand 
k into  three  16-byte  subkeys  Kq,  K\,  and  K2  as  follows:  for  i from  0 to  2, 
Ki  4-  MD5(fc  ||  Ut  |!  k). 

(c)  Partition  each  of  Kq  and  K\  into  four  32-bit  substrings  Kj  [4  0 < i < 3. 

3.  Kq  replaces  the  four  32-bit  IV’ s of  MD5  (i.e.,  hi  = Kq  [*])• 

4.  K\[i\  is  added  mod  232  to  each  constant  y[j]  used  in  Round  i of  MD5. 

5.  K2  is  used  to  construct  the  following  5 12-bit  block,  which  is  appended  to  the  padded 
input  x subsequent  to  the  regular  padding  and  length  block  as  defined  by  MD5: 

K2  ||  K2  0 T0  ||  K,  0 Tl  |j  I<2  0 T2. 

6.  The  MAC-value  is  the  leftmost  64  bits  of  the  128-bit  output  from  hashing  this  padded 
and  extended  input  string  using  MD5  with  the  above  modifications. 


9.70  Example  (MD5-MAC constants/test  vectors)  The  16-byte  constants  T;  and  three  test  vec- 
tors (x,  MD5-MAC(x))  for  key  k = 00112233445566778899aabbccddeef  f are 
given  below.  (The  T,  themselves  are  derived  using  MD5  on  pre-defined  constants.)  With 
subscripts  in  T taken  mod  3,  the  96-byte  constants  Uq,  U±,  U2  are  defined: 

Ut  = Ti  ||  Ti+1  ||  Ti+2  ||  Ti  ||  Ti+1  ||  Ti+2. 

TO:  97  ef  45  ac  29  Of  43  cd  45  7e  lb  55  lc  80  11  34 

Tl:  bl  77  ce  96  2e  72  8e  7c  5f  5a  ab  0a  36  43  be  18 

T2 : 9d  21  b4  21  be  87  b9  4d  a2  9d  27  bd  c7  5b  d7  c3 

("",  Iflef2375cc0e0844f98e7e811a34da8) 

( "abc" , e8013cllf7209dl328c0caa04fd012a6) 

( "abedef ghi jklmnopqrstuvwxyz " , 9172  8 67eb60017  884c6f a8cc88ebe7c9 ) 

□ 


9.5.4  MACs  for  stream  ciphers 

Providing  data  origin  authentication  and  data  integrity  guarantees  for  stream  ciphers  is  par- 
ticularly important  due  to  the  fact  that  bit  manipulations  in  additive  stream-ciphers  may  di- 
rectly result  in  predictable  modifications  of  the  underlying  plaintext  (e.g..  Example  9.83). 
While  iterated  hash  functions  process  message  data  a block  at  a time  (§9.3.1),  MACs  de- 
signed for  use  with  stream  ciphers  process  messages  either  one  bit  or  one  symbol  (block)  at 
a time,  and  those  which  may  be  implemented  using  linear  feedback  shift  registers  (LFSRs) 
are  desirable  for  reasons  of  efficiency. 

One  such  MAC  technique.  Algorithm  9.72  below,  is  based  on  cyclic  redundancy  codes 
(cf.  Example  9.80).  In  this  case,  the  polynomial  division  may  be  implemented  using  an 
LFSR.  The  following  definition  is  of  use  in  what  follows. 
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9.71  Definition  A (6,  to)  hash-family  % is  a collection  of  hash  functions  mapping  6-bit  mes- 
sages to  m-bit  hash-values.  A (6,  to)  hash-family  is  e-balanced  if  for  all  messages  B f 0 
and  all  m-bit  hash-values  c,  probh(h(B)  = c))  < e,  where  the  probability  is  over  all  ran- 
domly selected  functions  h «E  'H. 


9.72  Algorithm  CRC-based  MAC 

INPUT:  6-bit  message  B\  shared  key  (see  below)  between  MAC  source  and  verifier. 
OUTPUT:  m-bit  MAC-value  on  B (e.g.,  to  = 64). 

1.  Notation.  Associate  B = B/,_  \ . . . BiBq  with  the  polynomial  B(x)  = Elo  B>xi- 

2.  Selection  of  MAC  key. 

(a)  Select  a random  binary  irreducible  polynomial  p[x)  of  degree  to.  (This  repre- 
sents randomly  drawing  a function  h from  a (6,  to)  hash-family.) 

(b)  Select  a random  m-bit  one-time  key  k (to  be  used  as  a one-time  pad). 

The  secret  MAC  key  consists  of  p(x)  and  k,  both  of  which  must  be  shared  a priori 
between  the  MAC  originator  and  verifier. 

3.  Compute  h(B)  = coef(B(x)  ■ xm  mod  p(x )),  the  m-bit  string  of  coefficients  from 
the  degree  to  — 1 remainder  polynomial  after  dividing  B(x)  ■ xrn  by  p(x). 

4.  The  m-bit  MAC-value  for  B is:  h(B)(Bk. 


9.73  Fact  (security  of  CRC-based  MAC)  For  any  values  6 and  to  > 1,  the  hash-family  resulting 
from  Algorithm  9.72  is  e-balanced  for  e = (6  + to)/( 2m_1),  and  the  probability  of  MAC 
forgery  is  at  most  e. 

9.74  Remark  ( polynomial  reuse ) The  hash  function  h in  Algorithm  9.72  is  determined  by  the 
irreducible  polynomial  p{x).  In  practice,  p(x)  may  be  re-used  for  different  messages  (e.g., 
within  a session),  but  for  each  message  a new  random  key  k should  be  used. 


9.6  Data  integrity  and  message  authentication 

This  section  considers  the  use  of  hash  functions  for  data  integrity  and  message  authenti- 
cation. Following  preliminary  subsections,  respectively,  providing  background  definitions 
and  distinguishing  non-malicious  from  malicious  threats  to  data  integrity,  three  subsequent 
subsections  consider  three  basic  approaches  to  providing  data  integrity  using  hash  func- 
tions, as  summarized  in  Figure  9.8. 


9.6.1  Background  and  definitions 

This  subsection  discusses  data  integrity,  data  origin  authentication  (message  authentica- 
tion), and  transaction  authentication. 

Assurances  are  typically  required  both  that  data  actually  came  from  its  reputed  source 
(data  origin  authentication),  and  that  its  state  is  unaltered  (data  integrity).  These  issues  can- 
not be  separated  - data  which  has  been  altered  effectively  has  a new  source;  and  if  a source 
cannot  be  determined,  then  the  question  of  alteration  cannot  be  settled  (without  reference 
to  a source).  Integrity  mechanisms  thus  implicitly  provide  data  origin  authentication,  and 
vice  versa. 
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(a)  MAC  only 


(b)  MDC 

& encipherment 


encrypted 


(c)  MDC  & authentic 
channel 


Figure  9.8:  Three  methods  for  providing  data  integrity  using  hash  functions.  The  second  method  provides 
encipherment  simultaneously. 
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(i)  Data  integrity 

9.75  Definition  Data  integrity  is  the  property  whereby  data  has  not  been  altered  in  an  unautho- 
rized manner  since  the  time  it  was  created,  transmitted,  or  stored  by  an  authorized  source. 

Verification  of  data  integrity  requires  that  only  a subset  of  all  candidate  data  items  sat- 
isfies particular  criteria  distinguishing  the  acceptable  from  the  unacceptable.  Criteria  al- 
lowing recognizability  of  data  integrity  include  appropriate  redundancy  or  expectation  with 
respect  to  format.  Cryptographic  techniques  for  data  integrity  rely  on  either  secret  informa- 
tion or  authentic  channels  (§9.6.4). 

The  specific  focus  of  data  integrity  is  on  the  bitwise  composition  of  data  (cf.  transac- 
tion authentication  below).  Operations  which  invalidate  integrity  include:  insertion  of  bits, 
including  entirely  new  data  items  from  fraudulent  sources;  deletion  of  bits  (short  of  deleting 
entire  data  items);  re-ordering  of  bits  or  groups  of  bits;  inversion  or  substitution  of  bits;  and 
any  combination  of  these,  such  as  message  splicing  (re-use  of  proper  substrings  to  construct 
new  or  altered  data  items).  Data  integrity  includes  the  notion  that  data  items  are  complete. 
For  items  split  into  multiple  blocks,  the  above  alterations  apply  analogously  with  blocks 
envisioned  as  substrings  of  a contiguous  data  string. 

(ii)  Data  origin  authentication  (message  authentication) 

9.76  Definition  Data  origin  authentication  is  a type  of  authentication  whereby  a party  is  cor- 
roborated as  the  (original)  source  of  specified  data  created  at  some  (typically  unspecified) 
time  in  the  past. 

By  definition,  data  origin  authentication  includes  data  integrity. 

9.77  Definition  Message  authentication  is  a term  used  analogously  with  data  origin  authenti- 
cation. It  provides  data  origin  authentication  with  respect  to  the  original  message  source 
(and  data  integrity,  but  no  uniqueness  and  timeliness  guarantees). 

Methods  for  providing  data  origin  authentication  include  the  following: 

1 . message  authentication  codes  (MACs) 

2.  digital  signature  schemes 

3.  appending  (prior  to  encryption)  a secret  authenticator  value  to  encrypted  text.5 
Data  origin  authentication  mechanisms  based  on  shared  secret  keys  (e.g.,  MACs)  do  not 
allow  a distinction  to  be  made  between  the  parties  sharing  the  key,  and  thus  (as  opposed  to 
digital  signatures)  do  not  provide  non-repudiation  of  data  origin  - either  party  can  equally 
originate  a message  using  the  shared  key.  If  resolution  of  subsequent  disputes  is  a potential 
requirement,  either  an  on-line  trusted  third  party  in  a notary  role,  or  asymmetric  techniques 
(see  Chapter  11)  may  be  used. 

While  MACs  and  digital  signatures  may  be  used  to  establish  that  data  was  generated  by 
a specified  party  at  some  time  in  the  past,  they  provide  no  inherent  uniqueness  or  timeliness 
guarantees.  These  techniques  alone  thus  cannot  detect  message  re-use  or  replay,  which  is 
necessary  in  environments  where  messages  may  have  renewed  effect  on  second  or  subse- 
quent use.  Such  message  authentication  techniques  may,  however,  be  augmented  to  provide 
these  guarantees,  as  next  discussed. 

®Such  a sealed  authenticator  (cf.  a MAC,  sometimes  called  an  appended  authenticator)  is  used  along  with  an 
encryption  method  which  provides  error  extension.  While  this  resembles  the  technique  of  using  encryption  and 
an  MDC  (§9.6.5),  whereas  the  MDC  is  a (known)  function  of  the  plaintext,  a sealed  authenticator  is  itself  secret. 
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(iii)  Transaction  authentication 

9.78  Definition  Transaction  authentication  denotes  message  authentication  augmented  to  ad- 
ditionally provide  uniqueness  and  timeliness  guarantees  on  data  (thus  preventing  unde- 
tectable message  replay). 

The  uniqueness  and  timeliness  guarantees  of  Definition  9.78  are  typically  provided 
by  appropriate  use  of  time-variant  parameters  (TVPs).  These  include  random  numbers  in 
challenge-response  protocols,  sequence  numbers,  and  timestamps  as  discussed  in  §10.3.1. 
This  may  be  viewed  as  a combination  of  message  authentication  and  entity  authentication 
(Definition  10.1).  Loosely  speaking, 

message  authentication  + TVP  = transaction  authentication. 

As  a simple  example,  sequence  numbers  included  within  the  data  of  messages  authen- 
ticated by  a MAC  or  digital  signature  algorithm  allow  replay  detection  (see  Remark  9.79), 
and  thus  provide  transaction  authentication. 

As  a second  example,  for  exchanges  between  two  parties  involving  two  or  more  mes- 
sages, transaction  authentication  on  each  of  the  second  and  subsequent  messages  may  be 
provided  by  including  in  the  message  data  covered  by  a MAC  a random  number  sent  by  the 
other  party  in  the  previous  message.  This  chaining  of  messages  through  random  numbers 
prevents  message  replay,  since  any  MAC  values  in  replayed  messages  would  be  incorrect 
(due  to  disagreement  between  the  random  number  in  the  replayed  message,  and  the  most 
recent  random  number  of  the  verifier). 

Table  9.10  summarizes  the  properties  of  these  and  other  types  of  authentication.  Au- 
thentication in  the  broadest  sense  encompasses  not  only  data  integrity  and  data  origin  au- 
thentication, but  also  protection  from  all  active  attacks  including  fraudulent  representation 
and  message  replay.  In  contrast,  encryption  provides  protection  only  from  passive  attacks. 


— > Property 

| Type  of  authentication 

identification 
of  source 

data 

integrity 

timeliness  or 
uniqueness 

defined 

in 

message  authentication 

yes 

yes 

— 

§9.6.1 

transaction  authentication 

yes 

yes 

yes 

§9.6.1 

entity  authentication 

yes 

— 

yes 

§10.1.1 

key  authentication 

yes 

yes 

desirable 

§12.2.1 

Table  9.10:  Properties  of  various  types  of  authentication. 


9.79  Remark  ( sequence  numbers  and  authentication)  Sequence  numbers  may  provide  unique- 
ness, but  not  (real-time)  timeliness,  and  thus  are  more  appropriate  to  detect  message  replay 
than  for  entity  authentication.  Sequence  numbers  may  also  be  used  to  detect  the  deletion  of 
entire  messages;  they  thus  allow  data  integrity  to  be  checked  over  an  ongoing  sequence  of 
messages,  in  addition  to  individual  messages. 


9.6.2  Non-malicious  vs.  malicious  threats  to  data  integrity 

The  techniques  required  to  provide  data  integrity  on  noisy  channels  differ  substantially  from 
those  required  on  channels  subject  to  manipulation  by  adversaries. 

Checksums  provide  protection  against  accidental  or  non-malicious  errors  on  channels 
which  are  subject  to  transmission  errors.  The  protection  is  non-cryptographic,  in  the  sense 
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that  neither  secret  keys  nor  secured  channels  are  used.  Checksums  generalize  the  idea  of 
a parity  bit  by  appending  a (small)  constant  amount  of  message-specific  redundancy.  Both 
the  data  and  the  checksum  are  transmitted  to  a receiver,  at  which  point  the  same  redundancy 
computation  is  carried  out  on  the  received  data  and  compared  to  the  received  checksum. 
Checksums  can  be  used  either  for  error  detection  or  in  association  with  higher-level  error- 
recovery  strategies  (e.g.,  protocols  involving  acknowledgements  and  retransmission  upon 
failure).  Trivial  examples  include  an  arithmetic  checksum  (compute  the  running  32-bit  sum 
of  all  32-bit  data  words,  discarding  high-order  carries),  and  a simple  XOR  (XOR  all  32- 
bit  words  in  a data  string).  Error-correcting  codes  go  one  step  further  than  error-detecting 
codes,  offering  the  capability  to  actually  correct  a limited  number  of  errors  without  retrans- 
mission; this  is  sometimes  called  forward  error  correction. 

9.80  Example  ( CRCs ) Cyclic  redundancy  codes  or  CRCs  are  commonly  used  checksums.  A 
fc-bit  CRC  algorithm  maps  arbitrary  length  inputs  into  fc-bit  imprints,  and  provides  signif- 
icantly better  error-detection  capability  than  fe-bit  arithmetic  checksums.  The  algorithm 
is  based  on  a carefully  chosen  (k  + l)-bit  vector  represented  as  a binary  polynomial;  for 
k = 16,  a commonly  used  polynomial  (CRC- 16)  is  g (x)  = 1 + x2 + x15 + x16.  Af-bitdata 
input  is  represented  as  a binary  polynomial  d(x)  of  degree  t — 1,  and  the  CRC-value  cor- 
responding to  d( x)  is  the  16-bit  string  represented  by  the  polynomial  remainder  c(x)  when 
x16  ■ d(x)  is  divided  by  <?(x);6  polynomial  remaindering  is  analogous  to  computing  integer 
remainders  by  long  division.  For  all  messages  d(x)  with  t < 32  768,  CRC-16  can  detect 
all  errors  that  consist  of  only  a single  bit,  two  bits,  three  bits,  or  any  odd  number  of  bits,  all 
burst  errors  of  bitlength  16  or  less,  99.997%  (1  — 2 15)  of  17-bit  burst  errors,  and  99.998% 
(1  — 2 16)  of  all  bursts  18  bits  or  longer.  (A  burst  error  of  bitlength  b is  any  bitstring  of  ex- 
actly b bits  beginning  and  ending  with  a 1.)  Analogous  to  the  integer  case,  other  data  strings 
d'{x)  yielding  the  same  remainder  as  d(x)  can  be  trivially  found  by  adding  multiples  of  the 
divisor  g(x)  to  d(x),  or  inserting  extra  blocks  representing  a multiple  of  g(x).  CRCs  thus 
do  not  provide  one-wayness  as  required  for  MDCs;  in  fact,  CRCs  are  a class  of  linear  ( error 
correcting)  codes,  with  one-wayness  comparable  to  an  XOR-sum.  □ 

While  of  use  for  detection  of  random  errors,  k- bit  checksums  are  not  of  cryptographic 
use,  because  typically  a data  string  checksumming  to  any  target  value  can  be  easily  created. 
One  method  is  to  simply  insert  or  append  to  any  data  string  of  choice  a fc-bit  correcting- 
block  c which  has  the  effect  of  correcting  the  overall  checksum  to  the  desired  value.  For 
example,  for  the  trivial  XOR  checksum,  if  the  target  checksum  is  c',  insert  as  block  c the 
XOR  of  c!  and  the  XOR  of  all  other  blocks. 

In  contrast  to  checksums,  data  integrity  mechanisms  based  on  (cryptographic)  hash 
functions  are  specifically  designed  to  preclude  undetectable  intentional  modification.  The 
hash-values  resulting  are  sometimes  called  integrity  check  values  (ICV),  or  cryptographic 
check  values  in  the  case  of  keyed  hash  functions.  Semantically,  it  should  not  be  possible  for 
an  adversary  to  take  advantage  of  the  willingness  of  users  to  associate  a given  hash  output 
with  a single,  specific  input,  despite  the  fact  that  each  such  output  typically  corresponds  to 
a large  set  of  inputs.  Hash  functions  should  exhibit  no  predictable  relationships  or  correla- 
tions between  inputs  and  outputs,  as  these  may  allow  adversaries  to  orchestrate  unintended 
associations. 

6 A modification  is  typically  used  in  practice  (e.g.,  complementing  c(x)  ) to  address  the  combination  of  an  input 
d(x)  = 0 and  a “stuck-at-zero”  communications  fault  yielding  a successful  CRC  check. 


Handbook  of  Applied  Cryptography  by  A.  Menezes,  R van  Oorschot  and  S.  Vanstone. 


364 


Ch.  9 Hash  Functions  and  Data  Integrity 


9.6.3  Data  integrity  using  a MAC  alone 

Message  Authentication  Codes  (MACs)  as  discussed  earlier  are  designed  specifically  for 
applications  where  data  integrity  (but  not  necessarily  privacy)  is  required.  The  originator 
of  a message  x computes  a MAC  hk  (x)  over  the  message  using  a secret  MAC  key  k shared 
with  the  intended  recipient,  and  sends  both  (effectively  x ||  /)/, The  recipient  deter- 
mines by  some  means  (e.g.,  a plaintext  identifier  field)  the  claimed  source  identity,  sepa- 
rates the  received  MAC  from  the  received  data,  independently  computes  a MAC  over  this 
data  using  the  shared  MAC  key,  and  compares  the  computed  MAC  to  the  received  MAC. 
The  recipient  interprets  the  agreement  of  these  values  to  mean  the  data  is  authentic  and  has 
integrity  - that  is,  it  originated  from  the  other  party  which  knows  the  shared  key,  and  has 
not  been  altered  in  transit.  This  corresponds  to  Figure  9.8(a). 


9.6.4  Data  integrity  using  an  MDC  and  an  authentic  channel 

The  use  of  a secret  key  is  not  essential  in  order  to  provide  data  integrity.  It  may  be  eliminated 
by  hashing  a message  and  protecting  the  authenticity  of  the  hash  via  an  authentic  (but  not 
necessarily  private)  channel.  The  originator  computes  a hash-code  using  an  MDC  over  the 
message  data,  transmits  the  data  to  a recipient  over  an  unsecured  channel,  and  transmits  the 
hash-code  over  an  independent  channel  known  to  provide  data  origin  authentication.  Such 
authentic  channels  may  include  telephone  (authenticity  through  voice  recognition),  any  data 
medium  (e.g.,  floppy  disk,  piece  of  paper)  stored  in  a trusted  place  (e.g.,  locked  safe),  or 
publication  over  any  difficult-to-forge public  medium  (e.g.,  daily  newspaper).  The  recipient 
independently  hashes  the  received  data,  and  compares  the  hash-code  to  that  received.  If 
these  values  agree,  the  recipient  accepts  the  data  as  having  integrity.  This  corresponds  to 
Figure  9.8(c). 

Example  applications  include  virus  protection  of  software,  and  distribution  of  software 
or  public  keys  via  untrusted  networks.  For  virus  checking  of  computer  source  or  object 
code,  this  technique  is  preferable  to  one  resulting  in  encrypted  text.  A common  example 
of  combining  an  MDC  with  an  authentic  channel  to  provide  data  integrity  is  digital  signa- 
ture schemes  such  as  RSA,  which  typically  involve  the  use  of  MDCs,  with  the  asymmetric 
signature  providing  the  authentic  channel. 


9.6.5  Data  integrity  combined  with  encryption 

Whereas  digital  signatures  provide  assurances  regarding  both  integrity  and  authentication, 
in  general,  encryption  alone  provides  neither.  This  issue  is  first  examined,  and  then  the 
question  of  how  hash  functions  may  be  employed  in  conjunction  with  encryption  to  pro- 
vide data  integrity. 

(i)  Encryption  alone  does  not  guarantee  data  integrity 

A common  misconception  is  that  encryption  provides  data  origin  authentication  and  data 
integrity,  under  the  argument  that  if  a message  is  decrypted  with  a key  shared  only  with 
party  A,  and  if  the  decrypted  message  is  meaningful,  then  it  must  have  originated  from  A. 
Here  “meaningful”  means  the  message  contains  sufficient  redundancy  or  meets  some  other 
a priori  expectation.  While  the  intuition  is  that  an  attacker  must  know  the  secret  key  in 
order  to  manipulate  messages,  this  is  not  always  true.  In  some  cases  he  may  be  able  to 
choose  the  plaintext  message,  while  in  other  cases  he  may  be  able  to  effectively  manipulate 
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plaintext  despite  not  being  able  to  control  its  specific  content.  The  extent  to  which  encrypted 
messages  can  be  manipulated  undetectably  depends  on  many  factors,  as  illustrated  by  the 
following  examples. 

9.81  Example  ( re-ordering  ECB  blocks ) The  ciphertext  blocks  of  any  block  cipher  used  only 

in  ECB  mode  are  subject  to  re-ordering.  □ 

9.82  Example  ( encryption  of  random  data ) If  the  plaintext  corresponding  to  a given  cipher- 

text  contains  no  redundancy  (e.g.,  a random  key),  then  all  attempted  decryptions  thereof  are 
meaningful,  and  data  integrity  cannot  be  verified.  Thus,  some  form  of  redundancy  is  always 
required  to  allow  verification  of  integrity;  moreover,  to  facilitate  verification  in  practice,  ex- 
plicit redundancy  verifiable  by  automated  means  is  required.  □ 

9.83  Example  ( bit  manipulations  in  additive  stream  ciphers ) Despite  the  fact  that  the  one-time 

pad  offers  unconditional  secrecy,  an  attacker  can  change  any  single  bit  of  plaintext  by  mod- 
ifying the  corresponding  bit  of  ciphertext.  For  known-plaintext  attacks,  this  allows  an  at- 
tacker to  substitute  selected  segments  of  plaintext  by  plaintext  of  his  own  choosing.  An 
example  target  bit  is  the  high-order  bit  in  a numeric  field  known  to  represent  a dollar  value. 
Similar  comments  apply  to  any  additive  stream  cipher,  including  the  OFB  mode  of  any 
block  cipher.  □ 

9.84  Example  ( bit  manipulation  in  DES  ciphertext  blocks)  Several  standard  modes  of  opera- 

tion for  any  block  cipher  are  subject  to  selective  bit  manipulation.  Modifying  the  last  cipher- 
text  block  in  a CFB  chain  is  undetectable.  A ciphertext  block  in  CFB  mode  which  yields 
random  noise  upon  decryption  is  an  indication  of  possible  selective  bit-manipulation  of  the 
preceding  ciphertext  block.  A ciphertext  block  in  CBC  mode  which  yields  random  noise 
upon  decryption  is  an  indication  of  possible  selective  bit-manipulation  of  the  following  ci- 
phertext block.  For  further  discussion  regarding  error  extension  in  standard  modes  of  op- 
eration, see  §7.2.2.  □ 

(ii)  Data  integrity  using  encryption  and  an  MDC 

If  both  confidentiality  and  integrity  are  required,  then  the  following  data  integrity  technique 
employing  an  m-bit  MDC  h may  be  used.  The  originator  of  a message  x computes  a hash 
value  H = h(x ) over  the  message,  appends  it  to  the  data,  and  encrypts  the  augmented 
message  using  a symmetric  encryption  algorithm  E with  shared  key  k,  producing  ciphertext 

C = Ek{x\\  h(x))  (9.2) 

(Note  that  this  differs  subtlely  from  enciphering  the  message  and  the  hash  separately  as 
(Ek(x),Ek(h(x))),  which  e.g.  using  CBC  requires  twoIVs.)  This  is  transmitted  to  a recip- 
ient, who  determines  (e.g.,  by  a plaintext  identifier  field)  which  key  to  use  for  decryption, 
and  separates  the  recovered  data  x'  from  the  recovered  hash  H' . The  recipient  then  indepen- 
dently computes  the  hash  h(x')  of  the  received  data  and  compares  this  to  the  recovered 
hash  H' . If  these  agree,  the  recovered  data  is  accepted  as  both  being  authentic  and  having 
integrity.  This  corresponds  to  Figure  9.8(b). 

The  intention  is  that  the  encryption  protects  the  appended  hash,  and  that  it  be  infeasi- 
ble for  an  attacker  without  the  encryption  key  to  alter  the  message  without  disrupting  the 
correspondence  between  the  decrypted  plaintext  and  the  recovered  MDC.  The  properties 
required  of  the  MDC  here  may  be  notably  weaker,  in  general,  than  for  an  MDC  used  in  con- 
junction with,  say,  digital  signatures.  Here  the  requirement,  effectively  a joint  condition  on 
the  MDC  and  encryption  algorithm,  is  that  it  not  be  feasible  for  an  adversary  to  manipulate 
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or  create  new  ciphertext  blocks  so  as  to  produce  a new  ciphertext  C'  which  upon  decryp- 
tion will  yield  plaintext  blocks  having  the  same  MDC  as  that  recovered,  with  probability 
significantly  greater  than  1 in  2m. 

9.85  Remark  ( separation  of  integrity  and  privacy)  While  this  approach  appears  to  separate  pri- 
vacy and  data  integrity  from  a functional  viewpoint,  the  two  are  not  independent  with  re- 
spect to  security.  The  security  of  the  integrity  mechanism  is,  at  most,  that  of  the  encryption 
algorithm  regardless  of  the  strength  of  the  MDC  ( consider  exhaustive  search  of  the  encryp- 
tion key).  Thought  should,  therefore,  be  given  to  the  relative  strengths  of  the  components. 

9.86  Remark  ( vulnerability  to  known-plaintext  attack)  In  environments  where  known-plain- 
text  attacks  are  possible,  the  technique  of  equation  (9.2)  should  not  be  used  in  conjunction 
with  additive  stream  ciphers  unless  additional  integrity  techniques  are  used.  In  this  sce- 
nario, an  attacker  can  recover  the  key  stream,  then  make  plaintext  changes,  recompute  a 
new  MDC,  and  re-encrypt  the  modified  message.  Note  this  attack  compromises  the  man- 
ner in  which  the  MDC  is  used,  rather  than  the  MDC  or  encryption  algorithm  directly. 

If  confidentiality  is  not  essential  other  than  to  support  the  requirement  of  integrity,  an 
apparent  option  is  to  encrypt  only  either  the  message  x or  the  MDC  h(x).  Neither  approach 
is  common,  for  reasons  including  Remark  9.85,  and  the  general  undesirability  to  utilize  en- 
cryption primitives  in  systems  requiring  only  integrity  or  authentication  services.  The  fol- 
lowing further  comments  apply: 

1.  encrypting  the  hash-code  only:  (x,  Ek{h{x ))) 

Applying  the  key  to  the  hash-value  only  (cf.  Example  9.65)  results  in  a property  (typi- 
cal for  public-key  signatures  but)  atypical  for  MACs:  pairs  of  inputs  x,  x'  with  collid- 
ing outputs  (MAC-values  here)  can  be  verifiably  pre-determined  without  knowledge 
of  k.  Thus  h must  be  collision-resistant.  Other  issues  include:  pairs  of  inputs  having 
the  same  MAC-value  under  one  key  also  do  under  other  keys;  if  the  blocklength  of 
the  cipher  Ek  is  less  than  the  bitlength  m of  the  hash-value,  splitting  the  latter  across 
encryption  blocks  may  weaken  security;  k must  be  reserved  exclusively  for  this  in- 
tegrity function  (otherwise  chosen-text  attacks  on  encryption  allow  selective  MAC 
forgery);  and  Ek  must  not  be  an  additive  stream  cipher  (see  Remark  9.86). 

2.  encrypting  the  plaintext  only:  ( Ek{x ),  h{x)) 

This  offers  little  computational  savings  over  encrypting  both  message  and  hash  (ex- 
cept for  very  short  messages)  and,  as  above,  h(x)  must  be  collision-resistant  and  thus 
twice  the  typical  MAC  bitlength.  Correct  guesses  of  the  plaintext  x may  be  confirmed 
(candidate  values  x'  for  x can  be  checked  by  comparing  h{x')  to  h(x)). 

(iii)  Data  integrity  using  encryption  and  a MAC 

It  is  sometimes  suggested  to  use  a MAC  rather  than  the  MDC  in  the  mechanism  of  equa- 
tion (9.2)  on  page  365.  In  this  case,  a MAC  algorithm  hk < replaces  the  MDC  h,  and  rather 
than  C = Ek  (x  1 1 /i(x)),  the  message  sent  is 

C'  = Ek(x  ||  hk'(x))  (9.3) 

The  use  of  a MAC  here  offers  the  advantage  (over  an  MDC)  that  should  the  encryption  al- 
gorithm be  defeated,  the  MAC  still  provides  integrity.  A drawback  is  the  requirement  of 
managing  both  an  encryption  key  and  a MAC  key.  Care  must  be  exercised  to  ensure  that 
dependencies  between  the  MAC  and  encryption  algorithms  do  not  lead  to  security  weak- 
nesses, and  as  a general  recommendation  these  algorithms  should  be  independent  (see  Ex- 
ample 9.88). 
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9.87  Remark  (precluding  exhaustive  MAC  search ) Encryption  of  the  MAC-value  in  equation 
(9.3)  precludes  an  exhaustive  key  search  attack  on  the  MAC  key. 

Two  alternatives  here  include  encrypting  the  plaintext  first  and  then  computing  a MAC 
over  the  ciphertext,  and  encrypting  the  message  and  MAC  separately.  These  are  discussed 
in  turn. 

1.  computing  a MAC  over  the  ciphertext:  (Ep.(x).  h^i  (£).(x))). 

This  allows  message  authentication  without  knowledge  of  the  plaintext  x (or  cipher- 
text  key).  However,  as  the  message  authentication  is  on  the  ciphertext  rather  than  the 
plaintext  directly,  there  are  no  guarantees  that  the  party  creating  the  MAC  knew  the 
plaintext  x.  The  recipient,  therefore,  must  be  careful  about  conclusions  drawn  - for 
example,  if  Ef.  is  public-key  encryption,  the  originator  of  x may  be  independent  of 
the  party  sharing  the  key  k'  with  the  recipient. 

2.  separate  encryption  and  MAC:  (Ek(x),  /ifc'(x)). 

This  alternative  requires  that  neither  the  encryption  nor  the  MAC  algorithm  compro- 
mises the  objectives  of  the  other.  In  particular,  in  this  case  an  additional  requirement 
on  the  algorithm  is  that  the  MAC  on  x must  not  compromise  the  confidentiality  of 
x (cf.  Definition  9.7).  Keys  (7c.  k')  should  also  be  independent  here,  e.g.,  to  pre- 
clude exhaustive  search  on  the  weaker  algorithm  compromising  the  other  (cf.  Ex- 
ample 9.88).  If  k and  k'  are  not  independent,  exhaustive  key  search  is  theoretically 
possible  even  without  known  plaintext. 

(iv)  Data  integrity  using  encryption  - examples 

9.88  Example  ( improper  combination  of  CBC-MAC  and  CBC  encryption)  Consider  using  the 

data  integrity  mechanism  of  equation  (9.3)  with  E\.  being  CBC-encryption  with  key  k and 
initialization  vector  IV,  h /,./  (x)  being  CBC-MAC  with  k'  and  IV' , and  k = k',  IV  = IV' . 
The  data  x = X1X2  . . . x(  can  then  be  processed  in  a single  CBC  pass,  since  the  CBC-MAC 
is  equal  to  the  last  ciphertext  block  ct  = £).(ct_i0x(),  and  the  last  data  blockisX(+i  = ct, 
yielding  final  ciphertext  block  ct+i  = -Efc(ct0xt_|_i)  = £).(  0).  The  encrypted  MAC  is  thus 
independent  of  both  plaintext  and  ciphertext,  rendering  the  integrity  mechanism  completely 
insecure.  Care  should  thus  be  taken  in  combining  a MAC  with  an  encryption  scheme.  In 
general,  it  is  recommended  that  distinct  (and  ideally,  independent)  keys  be  used.  In  some 
cases,  one  key  may  be  derived  from  the  other  by  a simple  technique;  a common  sugges- 
tion for  DES  keys  is  complementation  of  every  other  nibble.  However,  arguments  favoring 
independent  keys  include  the  danger  of  encryption  algorithm  weaknesses  compromising 
authentication  (or  vice-versa),  and  differences  between  authentication  and  encryption  keys 
with  respect  to  key  management  life  cycle.  See  also  Remark  13.32.  □ 

An  efficiency  drawback  in  using  distinct  keys  for  secrecy  and  integrity  is  the  cost  of  two 
separate  passes  over  the  data.  Example  9.89  illustrates  a proposed  data  integrity  mechanism 
(which  appeared  in  a preliminary  draft  of  U.S.  Federal  Standard  1026)  which  attempts  this 
by  using  an  essentially  zero-cost  linear  checksum;  it  is,  however,  insecure. 

9.89  Example  ( CBC  encryption  with  XOR  checksum  - CBCC)  Consider  using  the  data  integ- 
rity mechanism  of  equation  (9.2)  with  Ek  being  CBC-encryption  with  key  k,  x = xix-> . . . 
xt  a message  of  t blocks,  and  as  MDC  function  the  simple  XOR  of  all  plaintext  blocks, 
Hx)  = ®£  xi ■ The  quantity  M = h(x)  which  serves  as  MDC  then  becomes  plain- 
text block  x(+i.  The  resulting  ciphertext  blocks  using  CBC  encryption  with  Co  = IV  are 
c,;  = 77fc(x,j0c.j_ i),  1 < * < t + 1.  In  the  absence  of  manipulation,  the  recovered  plain- 
text is  x,j  = c.j_i0Dfc(c,j).  To  see  that  this  scheme  is  insecure  as  an  integrity  mechanism, 
let  c'  denote  the  actual  ciphertext  blocks  received  by  a recipient,  resulting  from  possibly 
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manipulated  blocks  q,  and  let denote  the  plaintext  recovered  by  the  recipient  by  CBC 
decryption  with  the  proper  IV.  The  MDC  computed  over  the  recovered  plaintext  blocks  is 
then 

M'  = h(x')  = 0*'  = 0(c;.  r3/;,,(c'))  = IV ©(  0 c')®(0JDfc(c')  ) 

i—  1 i—  1 i—  1 i—  1 

M'  is  compared  for  equality  with  xt+i(—  c't(BDk(  ct+i))  as  a check  for  data  integrity,  or 
equivalently,  that  5 = M'©xj+1  = 0.  By  construction,  S — 0 if  there  is  no  manipula- 
tion (i.e.,  if  c'  = q,  which  implies  x'  = x*).  Moreover,  the  sum  S is  invariant  under  any 
permutation  of  the  values  c',  1 < i < t (since  Dk(ct+ 1)  appears  as  a term  in  S,  but  ct+i 
does  not,  ct+i  must  be  excluded  from  the  permutable  set).  Thus,  any  of  the  first  t ciphertext 
blocks  can  be  permuted  without  affecting  the  successful  verification  of  the  MDC.  Further- 
more, insertion  into  the  ciphertext  stream  of  any  random  block  c*  twice,  or  any  set  of  such 
pairs,  will  cancel  itself  out  in  the  sum  , S',  and  thus  also  cannot  be  detected.  □ 

9.90  Example  ( CBC  encryption  with  mod  2n  — 1 checksum)  Consider  as  an  alternative  to  Ex- 
ample 9.89  the  simple  MDC  function  h(x)  = Y^l= i xi>  the  sum  of  plaintext  blocks  as  n-bit 
integers  with  wrap-around  carry  (add  overflow  bits  back  into  units  bit),  i.e.,  the  sum  modulo 
2™  — 1;  consider  n = 64  for  ciphers  of  blocklength  64.  The  sum  S from  Example  9.89  in 
this  case  involves  both  XOR  and  addition  modulo  2"  — 1;  both  permutations  of  ciphertext 
blocks  and  insertions  of  pairs  of  identical  random  blocks  are  now  detected.  (This  technique 
should  not,  however,  be  used  in  environments  subject  to  chosen-plaintext  attack.)  □ 

9.91  Example  ( PCBC encryption  with  mod  2”  checksum)  A non-standard,  non-self-synchron- 

izing  mode  of  DES  known  as  plaintext-ciphertext  block  chaining  (PCBC)  is  defined  as  fol- 
lows, for  i > 0 and  plaintext  x = X1X2  . . . xp.  ci+ 1 = Ek(xi+i(BGi)  where  Go  = IV, 
Gj  = g(xi,  Ci ) for  i > 1,  and  g a simple  function  such  as  g(xi , c,;)  = (x*  + Cj)  mod 
264.  A one-pass  technique  providing  both  encryption  and  integrity,  which  exploits  the  error- 
propagation  property  of  this  mode,  is  as  follows.  Append  an  additional  plaintext  block  to 
provide  redundancy,  e.g.,  x(+1  = IV  (alternatively:  a fixed  constant  or  xj).  Encrypt  all 
blocks  of  the  augmented  plaintext  using  PCBC  encryption  as  defined  above.  The  quantity 
ct+i  =Ek(xt+\(&g(xt,  C())  serves  as  MAC.  Upon  decipherment  of  ct+i,  the  receiver  ac- 
cepts the  message  as  having  integrity  if  the  expected  redundancy  is  evident  in  the  recovered 
block  xt...  [ . (To  avoid  a known-plaintext  attack,  the  function  g in  PCBC  should  not  be  a 
simple  XOR  for  this  integrity  application.)  □ 


9.7  Advanced  attacks  on  hash  functions 

A deeper  understanding  of  hash  function  security  can  be  obtained  through  consideration  of 
various  general  attack  strategies.  The  resistance  of  a particular  hash  function  to  known  gen- 
eral attacks  provides  a (partial)  measure  of  security.  A selection  of  prominent  attack  strate- 
gies is  presented  in  this  section,  with  the  intention  of  providing  an  introduction  sufficient  to 
establish  that  designing  (good)  cryptographic  hash  functions  is  not  an  easily  mastered  art. 
Many  other  attack  methods  and  variations  exist;  some  are  general  methods,  while  others 
rely  on  peculiar  properties  of  the  internal  workings  of  specific  hash  functions. 
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9.7.1  Birthday  attacks 

Algorithm-independent  attacks  are  those  which  can  be  applied  to  any  hash  function,  treat- 
ing it  as  a black-box  whose  only  significant  characteristics  are  the  output  bitlength  n (and 
MAC  key  bitlength  for  MACs),  and  the  running  time  for  one  hash  operation.  It  is  typi- 
cally assumed  the  hash  output  approximates  a uniform  random  variable.  Attacks  falling 
under  this  category  include  those  based  on  hash-result  bitsize  (page  336);  exhaustive  MAC 
key  search  (page  336);  and  birthday  attacks  on  hash  functions  (including  memoryless  vari- 
ations) as  discussed  below. 

(i)  Yuval’s  birthday  attack  on  hash  functions 

Yuval’s  birthday  attack  was  one  of  the  first  (and  perhaps  the  most  well-known)  of  many 
cryptographic  applications  of  the  birthday  paradox  arising  from  the  classical  occupancy 
distribution  (§2.1.5):  when  drawing  elements  randomly,  with  replacement,  from  a set  of 
N elements,  with  high  probability  a repeated  element  will  be  encountered  after  0(  rN) 
selections.  Such  attacks  are  among  those  called  square-root  attacks. 

The  relevance  to  hash  functions  is  that  it  is  easier  to  find  collisions  for  a one-way  hash 
function  than  to  find  pre-images  or  second  preimages  of  specific  hash-values.  As  a result, 
signature  schemes  which  employ  one-way  hash  functions  may  be  vulnerable  to  Yuval’s  at- 
tack outlined  below.  The  attack  is  applicable  to  all  unkeyed  hash  functions  (cf.  Fact  9.33), 
with  running  time  0( 2m/2)  varying  with  the  bitlength  m of  the  hash-value. 


9.92  Algorithm  Yuval's  birthday  attack 

INPUT:  legitimate  message  xj;  fraudulent  message  x2;  m-bit  one-way  hash  function  h. 
OUTPUT:  x[,  x'2  resulting  from  minor  modifications  of  x\,  x2  with  h{x’1)  = h(x'2) 

(thus  a signature  on  x'j  serves  as  a valid  signature  on  x2). 

1.  Generate  t = 2'"-/'2  minor  modifications  x[  of  x\. 

2.  Hash  each  such  modified  message,  and  store  the  hash-values  (grouped  with  corre- 
sponding message)  such  that  they  can  be  subsequently  searched  on  hash-value.  (This 
can  done  in  0(f)  total  time  using  conventional  hashing.) 

3.  Generate  minor  modifications  x2  of  x2,  computing  h(x2)  for  each  and  checking  for 
matches  with  any  x'x  above;  continue  until  a match  is  found.  (Each  table  lookup  will 
require  constant  time;  a match  can  be  expected  after  about  t candidates  x2.) 


9.93  Remark  ( application  of  birthday  attack)  The  idea  of  this  attack  can  be  used  by  a dishon- 
est signer  who  provides  to  an  unsuspecting  party  his  signature  on  x[  and  later  repudiates 
signing  that  message,  claiming  instead  that  the  message  signed  was  x'2\  or  by  a dishonest 
verifier,  who  is  able  to  convince  an  unsuspecting  party  to  sign  a prepared  message  x) , and 
later  claim  that  party’s  signature  on  x2.  This  remark  generalizes  to  other  schemes  in  which 
the  hash  of  a message  is  taken  to  represent  the  message  itself. 

Regarding  practicality,  the  collisions  produced  by  the  birthday  attack  are  “real”  (vs. 
pseudo-collisions  or  compression  function  collisions),  and  moreover  of  direct  practical  con- 
sequence when  messages  are  constructed  to  be  meaningful.  The  latter  may  often  be  done  as 
follows:  alter  inputs  via  individual  minor  modifications  which  create  semantically  equiva- 
lent messages  (e.g.,  substituting  tab  characters  in  text  files  for  spaces,  unprintable  characters 
for  each  other,  etc.).  For  128-bit  hash  functions,  64  such  potential  modification  points  are 
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required  to  allow  264  variations.  The  attack  then  requires  0(264)  time  (feasible  with  ex- 
treme parallelization);  and  while  it  requires  space  for  0(264)  messages  (which  is  impracti- 
cal), the  memory  requirement  can  be  addressed  as  discussed  below. 


(ii)  Memoryless  variation  of  birthday  attack 

To  remove  the  memory  requirement  of  Algorithm  9.92,  a deterministic  mapping  may  be 
used  which  approximates  a random  walk  through  the  hash-value  space.  By  the  birthday 
paradox,  in  a random  walk  through  a space  of  2™  points,  one  expects  to  encounter  some 
point  a second  time  (i.e.,  obtain  a collision)  after  0( 2m/2)  steps,  after  which  the  walk  will 
repeat  its  previous  path  (and  begin  to  cycle).  General  memoryless  cycle-finding  techniques 
may  then  be  used  to  find  this  collision.  (Here  memoryless  means  requiring  negligible  mem- 
ory, rather  than  in  the  stochastic  sense.)  These  include  Floyd's  cycle-finding  algorithm 
(§3.2.2)  and  improvements  to  it. 

Following  Algorithm  9.92,  let  g be  a function  such  that  g{x i,  H)  = x\  is  a minor 
modification,  determined  by  the  hash-value  H , of  message  x\  (each  bit  of  H might  define 
whether  or  not  to  modify  xi  at  a pre-determined  modification  point).  If  x\  is  fixed,  then 
g essentially  maps  a hash-result  to  a message  and  it  is  convenient  to  write  gXl  (. H ) = x[. 
Moreover,  let  g be  injective  so  that  distinct  hashes  H result  in  distinct  x\ . Then,  with  fixed 
messages  x\,  x 2,  and  using  some  easily  distinguishable  property  (e.g.,  parity)  which  splits 
the  space  of  hash-values  into  two  roughly  equal-sized  subsets,  define  a function  r mapping 
hash-results  to  hash-results  by: 


f h(gXl  (H))  if  H is  even 
\ h(gX2  (H)  ) if  H is  odd 


(9.4) 


The  memoryless  collision  search  technique  (see  above)  is  then  used  to  find  two  inputs  to  r 
which  map  to  the  same  output  (i.e.,  collide).  If  h behaves  statistically  as  a random  mapping 
then,  with  probability  0.5,  the  parity  will  differ  in  H and  H'  for  the  colliding  inputs,  in 
which  case  without  loss  of  generality  h(gxi  (H))  = h(gX2  (H')).  This  yields  a colliding 
pair  of  variations  x[  = gxi  ( H ),  x2  = gX2  (H!)  of  distinct  messages  xi,  x2,  respectively, 
such  that  h(x j j = h(x2),  as  per  the  output  of  Algorithm  9.92. 


(iii)  Illustrative  application  to  MD5 

Actual  application  of  the  above  generic  attack  to  a specific  hash  function  raises  additional 
technicalities.  To  illustrate  how  these  may  be  addressed,  such  application  is  now  examined, 
with  assumptions  and  choices  made  for  exposition  only.  Let  h be  an  iterated  hash  function 
processing  messages  in  5 12-bit  blocks  and  producing  128-bit  hashes  (e.g.,  MD5,  RIPEMD- 
128).  To  minimize  computational  expense,  restrict  r (effectively  g and  h)  in  equation  (9.4) 
to  single  512-bit  blocks  of  x,; , such  that  each  iteration  of  r involves  only  the  compression 
function  / on  inputs  one  message  block  and  the  current  chaining  variable. 

Let  the  legitimate  message  input  xi  consist  of  s 512-bit  blocks  (s  > 1,  prior  to  MD- 
strengthening).  Create  a fraudulent  message  x2  of  equal  bitlength.  Allow  x2  to  differ  from 
xi  up  to  and  including  the  jth  block,  for  any  fixed  j < s 1.  Use  the  (j  + l)st  block  of , 
denoted  Bi  (i  = 1,  2),  as  a matching/replacement  block,  to  be  replaced  by  the  5 12-bit  blocks 
resulting  from  the  collision  search.  Set  all  blocks  in  x2  subsequent  to  13,  identically  equal 
to  those  in  xi;  x\  will  then  differ  from  x,  only  in  the  single  block  (j  + 1).  For  maximum 
freedom  in  the  construction  of  x2,  choose  j = s — 1.  Let  c\,  c2  be  the  respective  128-bit 
intermediate  results  (chaining  variables)  after  the  iterated  hash  operates  on  the  first  j blocks 
of  xi,  x2.  Compression  function  / maps  (128  + 512  =)  640-bit  inputs  to  128-bit  outputs. 
Since  the  chaining  variables  depend  on  x,;,  gXi(=  g)  may  be  defined  independent  of  x, 
here  (cf.  equation  (9.4));  assume  both  entire  blocks  B,  may  be  replaced  without  practical 
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implication.  Let  g(H)  = B denote  an  injective  mapping  from  the  space  of  128-bit  hash- 
values  to  the  space  of  512-bit  potential  replacement  blocks,  defined  as  follows:  map  each 
two-bit  segment  of  H to  one  of  four  8-bit  values  in  the  replacement  block  13.  (A  practical 
motivation  for  this  is  that  if  x,  is  an  ASCII  message  to  be  printed,  and  the  four  8-bit  values 
are  selected  to  represent  non-printable  characters,  then  upon  printing,  the  resulting  blocks 
B are  all  indistinguishable,  leaving  no  evidence  of  adversarial  manipulation.) 

The  collision-finding  function  r for  this  specific  example  (corresponding  to  the  generic 
equation  (9.4))  is  then: 

r(H\  _ / /(CL :S(H))  if  H is  even 

\ /(c2,  g{H))  if  H is  odd 

Collisions  for  MD5  (and  similar  hash  functions)  can  thus  be  found  in  0( 264)  operations 
and  without  significant  storage  requirements. 


9.7.2  Pseudo-collisions  and  compression  function  attacks 

The  exhaustive  or  brute  force  methods  discussed  in  §9.3.4,  producing  preimages,  2nd-pre- 
images,  and  collisions  for  hash  functions,  are  always  theoretically  possible.  They  are  not 
considered  true  “attacks”  unless  the  number  of  operations  required  is  significantly  less  than 
both  the  strength  conjectured  by  the  hash  function  designer  and  that  of  hash  functions  of 
similar  parameters  with  ideal  strength.  An  attack  requiring  such  a reduced  number  of  oper- 
ations is  informally  said  to  break  the  hash  function,  whether  or  not  this  computational  effort 
is  feasible  in  practice.  Any  attack  method  which  demonstrates  that  conjectured  properties 
do  not  hold  must  be  taken  seriously;  when  this  occurs,  one  must  admit  the  possibility  of 
additional  weaknesses. 

In  addition  to  considering  the  complexity  of  finding  (ordinary)  preimages  and  colli- 
sions, it  is  common  to  examine  the  feasibility  of  attacks  on  slightly  modified  versions  of 
the  hash  function  in  question,  for  reasons  explained  below.  The  most  common  case  is  ex- 
amination of  the  difficulty  of  finding  preimages  or  collisions  if  one  allows  free  choice  of 
IVs.  Attacks  on  hash  functions  with  unconstrained  IVs  dictate  upper  bounds  on  the  security 
of  the  actual  algorithms.  Vulnerabilities  found,  while  not  direct  weaknesses  in  the  overall 
hash  function,  are  nonetheless  considered  certificational  weaknesses  and  cast  suspicion  on 
overall  security.  In  some  cases,  restricted  attacks  can  be  extended  to  full  attacks  by  standard 
techniques. 

Table  9.11  lists  the  most  commonly  examined  variations,  including  pseudo-collisions 
- collisions  allowing  different  IVs  for  the  different  message  inputs.  In  contrast  to  preim- 
ages and  collisions,  pseudo-preimages  and  pseudo-collisions  are  of  limited  direct  practical 
significance. 

9.94  Note  ( alternate  names  for  collision  and  preimage  attacks)  Alternate  names  for  those  in 
Table  9.11  are  as  follows:  preimage  or  2nd-preimage  = target  attack',  pseudo-preimage 
= free-start  target  attack',  collision  (fixed  IV)  = collision  attack',  collision  (random  IV)  = 
semi-free-start  collision  attack',  pseudo-collision  = free-start  collision  attack. 

9.95  Note  ( relative  difficulty  of  attacks)  Finding  a collision  can  be  no  harder  than  finding  a 2nd- 
preimage.  Similarly,  finding  a pseudo-collision  can  be  no  harder  than  finding  (two  distinct) 
pseudo-preimages. 
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|Type  of  attack 

V 

V 

X 

x' 

V 

Find  . . . 

preimage 

Vo 

— 

* 
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yo 
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II 
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pseudo-preimage 

* 

— 

* 

— 

yo 

x,V:  h(V,  x)  = y0 

2nd-preimage 

Vo 

Fo 

xo 

* 

h(V o,x0) 

x'\  h(Vo,x0)  = h(\ o,x') 

collision  ( fixed  IV) 

Vo 

Vo 

* 

* 

— 

5-  H 

55  X 

II 

55 

collision  (random  IV) 

* 

V 

* 

* 

— 

5-  H 

II 

X 

pseudo-collision 

* 

* 

* 

* 

— 

x,x’,V,V': 
h(V,  x)  = h(V',  x') 

Table  9.11 : Definition  of  preimage  and  collision  attacks.  V and  V'  denote  ( potentially  different ) 
IV s used  for  MDC  h applied  to  inputs  x and  x' , respectively;  Vo  denotes  the  IV  pre-specified  in  the 
definition  ofh,  xo  a pre-specified  target  input,  and  y = yo  a pre-specified  target  output.  * Denotes 
IVs  or  inputs  which  may  be  freely  chosen  by  an  attacker;  h(Vo,  *0)  denotes  the  hash-code  resulting 
from  applying  h with  fixed  TV  V = Vo  to  input  x = xq.  — Means  not  applicable. 


9.96  Example  ( trivial  collisions  for  random  IVs)  If  free  choice  of  IV  is  allowed,  then  trivial 
pseudo-collisions  can  be  found  by  deleting  leading  blocks  from  a target  message.  For  exam- 
ple, for  an  iterated  hash  (cf.  equation  (9.1)  on  page  333),  h(IV,  x\xf)  = f(f(IV,  xi),  X2). 
Thus,  for  IV'  = f(IV. , xi),  h(IV',  X2)  = h(IV.  X1X2)  yields  a pseudo-collision  of  h,  in- 
dependent of  the  strength  of  /.  (MD-strengthening  as  per  Algorithm  9.26  precludes  this.) 

□ 

Another  common  analysis  technique  is  to  consider  the  strength  of  weakened  variants  of 
an  algorithm,  or  attack  specific  subcomponents,  akin  to  cryptanalyzing  an  8-round  version 
of  DES  in  place  of  the  full  16  rounds. 

9.97  Definition  An  attack  on  the  compression  function  of  an  iterated  hash  function  is  any  attack 

as  per  Table  9.11  with  x*)  replacing  h(To,  x)  - the  compression  function  / in  place 

of  hash  function  h,  chaining  variable  H,  \ in  place  of  initializing  value  V,  and  a single  input 
block  Xi  in  place  of  the  arbitrary-length  message  x. 

An  attack  on  a compression  function  focuses  on  one  fixed  step  i of  the  iterative  func- 
tion of  equation  (9.1).  The  entire  message  consists  of  a single  block  x*  = x (without 
MD-strengthening),  and  the  hash  output  is  taken  to  be  the  compression  function  output  so 
h(x)  = Hi . The  importance  of  such  attacks  arises  from  the  following. 

9.98  Note  (compression  function  vs.  hash  function  attacks ) Any  of  the  six  attacks  of  Table  9.11 
which  is  found  for  the  compression  function  of  an  iterated  hash  can  be  extended  to  a similar 
attack  of  roughly  equal  complexity  on  the  overall  hash.  An  iterated  hash  function  is  thus 
in  this  regard  at  most  as  strong  as  its  compression  function.  (However  note,  for  example, 
an  overall  pseudo-collision  is  not  always  of  practical  concern,  since  most  hash  functions 
specify  a fixed  IV.) 

For  example,  consider  a message  x = X1X2  . . . xt.  Suppose  a successful  2nd-preimage 
attack  on  compression  function  / yields  a 2nd-preimage  x\  f x\  such  that  f(IV , xf)  = 
f(IV,  xi).  Then,  x'  = XjX2  . . . xt  is  a preimage  of  h(x). 

More  positively,  if  MD-strengthening  is  used,  the  strength  of  an  iterated  hash  with 
respect  to  the  attacks  of  Table  9.11  is  the  same  as  that  of  its  compression  function  (cf. 
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Fact  9.24).  However,  an  iterated  hash  may  certainly  be  weaker  than  its  compression  func- 
tion (e.g.,  Example  9.96;  Fact  9.37). 

In  summary,  a compression  function  secure  against  preimage,  2nd-preimage,  and  col- 
lision (fixed  IV)  attacks  is  necessary  and  sometimes,  but  not  always,  sufficient  for  a secure 
iterated  hash;  and  security  against  the  other  (i.e.,  free-start)  attacks  of  Table  9.11  is  desir- 
able, but  not  always  necessary  for  a secure  hash  function  in  practice.  For  this  reason,  com- 
pression functions  are  analyzed  in  isolation,  and  attacks  on  compression  functions  as  per 
Definition  9.97  are  considered.  A further  result  motivating  the  study  of  pseudo-preimages 
is  the  following. 

9.99  Fact  ( pseudo-preimages  yielding  preimages ) If  the  compression  function  / of  an  n-bit 
iterated  hash  function  h does  not  have  ideal  computational  security  (2?l)  against  pseudo- 
preimage attacks,  then  preimages  for  h can  be  found  in  fewer  than  2"  operations  (cf.  §9.3.4, 
Table  9.2).  This  result  is  true  even  if  h has  MD-strengthening. 

Justification.  The  attack  requires  messages  of  3 or  more  blocks,  with  2 or  more  uncon- 
strained to  allow  a meet-in-the-middle  attack  (page  374).  If  pseudo-preimages  can  be  found 
in  2s  operations,  then  2(n+s)/2  forward  points  and  2("~s)/2  backward  points  are  employed 
(fewer  backward  points  are  used  since  they  are  more  costly).  Preimages  can  thus  be  found 
in  2 • 2(?I+S)/2  operations. 


9.7.3  Chaining  attacks 

Chaining  attacks  are  those  which  are  based  on  the  iterative  nature  of  hash  functions  and,  in 
particular,  the  use  of  chaining  variables.  These  focus  on  the  compression  function  / rather 
than  the  overall  hash  function  h,  and  may  be  further  classified  as  below.  An  example  for 
context  is  first  given. 

9.100  Example  ( chaining  attack ) Consider  a (candidate)  collision  resistant  iterative  hash  func- 
tion h producing  a 128-bit  hash-result,  with  a compression  function  / taking  as  inputs  a 
512-bit  message  block  ;c,  and  128-bit  chaining  variable  H,  (Hq  — IV)  and  producing  out- 
put Hi- |_i  = f{Hi,  Xi).  For  a fixed  10-block  message  x (640  bytes),  consider  H = h( x). 
Suppose  one  picks  any  one  of  the  10  blocks,  and  wishes  to  replace  it  with  another  block 
without  affecting  the  hash  H.  If  h behaves  like  a random  mapping,  the  number  of  such 
512-bit  blocks  is  approximately  2512/2128  = 2384.  Any  efficient  method  for  finding  any 
one  of  these  2384  blocks  distinct  from  the  original  constitutes  an  attack  on  h.  The  challenge 
is  that  such  blocks  are  a sparse  subset  of  all  possible  blocks,  about  1 in  2128.  □ 

(i)  Correcting-block  chaining  attacks 

Using  the  example  above  for  context,  one  could  attempt  to  (totally)  replace  a message  x 
with  a new  message  x',  such  that  h(x)  = h(x'),  by  using  a single  unconstrained  “correct- 
ing” block  in  x1,  designated  ahead  of  time,  to  be  determined  later  such  that  it  produces  a 
chaining  value  which  results  in  the  overall  hash  being  equal  to  target  value  h(x).  Such  a cor- 
recting block  attack  can  be  used  to  find  both  preimages  and  collisions.  If  the  unconstrained 
block  is  the  first  (last)  block  in  the  message,  it  is  called  a correcting  first  (last)  block  at- 
tack. These  attacks  may  be  precluded  by  requiring  per-block  redundancy,  but  this  results  in 
an  undesirable  bandwidth  penalty.  Example  9.101  illustrates  a correcting  first  block  attack. 
The  extension  of  Yuval’s  birthday  attack  (page  369),  with  message  alterations  restricted  to 
the  last  block  of  candidate  messages,  resembles  a correcting  last  block  attack  applied  simul- 
taneously to  two  messages,  seeking  a (birthday)  collision  rather  than  a fixed  overall  target 
hash- value. 
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9.101  Example  ( correcting  block  attack  on  CBC  cipher  mode)  The  CBC  mode  of  encryption 

with  non-secret  key  (Hq  = IV ; Hj  = Ufc(iT;_i©x,j))  is  unsuitable  as  an  MDC  algorithm, 
because  it  fails  to  be  one-way  - the  compression  function  is  reversible  when  the  encryption 
key  is  known.  A message  x' , of  unconstrained  length  (say  t blocks)  can  be  constructed  to 
have  any  specified  target  hash-value  H as  follows.  Let  x'2 , ■ ■ • x(  be  t — 1 blocks  chosen 
freely.  Set  H[  t—  H , then  for  i from  t to  1 compute  H'i_1  t—  /.)/,.  (//')©a''.  Finally,  compute 
x\  Dic(H[)(BlV.  Then,  for  x'  = x\x2  . . . x’t,  h(x')  = H and  all  but  block  x\  (which 
will  appear  random)  can  be  freely  chosen  by  an  adversary;  even  this  minor  drawback  can 
be  partially  addressed  by  a meet-in-the-middle  strategy  (see  below).  Analogous  remarks 
apply  to  the  CFB  mode.  □ 

(ii)  Meet-in-the-middle  chaining  attacks 

These  are  birthday  attacks  similar  to  Yuval’s  (and  which  can  be  made  essentially  memory- 
less) but  which  seek  collisions  on  intermediate  results  (i.e.,  chaining  variables)  rather  than 
the  overall  hash-result.  When  applicable,  they  allow  (unlike  Yuval’s  attack)  one  to  find  a 
message  with  a pre-specified  hash-result,  for  either  a 2nd-preimage  or  a collision.  An  at- 
tack point  is  identified  between  blocks  of  a candidate  (fraudulent)  message.  Variations  of 
the  blocks  preceding  and  succeeding  this  point  are  generated.  The  variations  are  hashed 
forward  from  the  algorithm-specified  IV  (computing  Hi  = f(  H,  1;  x,; ) as  usual)  and  back- 
ward from  the  target  final  hash-result  (computing  Hi  = f~1(Hi+i,  Xj+i)  for  some  i/j+i, 
x-i+i,  ideally  for  x)+i  chosen  by  the  adversary),  seeking  a collision  in  the  chaining  vari- 
able Hi  at  the  attack  point.  For  the  attack  to  work,  the  attacker  must  be  able  to  efficiently 
go  backwards  through  the  chain  (certainly  moreso  than  by  brute  force  - e.g.,  see  Exam- 
ple 9.102),  i.e.,  invert  the  compression  function  in  the  following  manner:  given  a value 
Hi+ 1,  find  a pair  (Hi,  xi+1)  such  that  f(Hi,  xi+1)  = Hi+1. 

9.102  Example  ( meet-in-the-middle  attack  on  invertible  key  chaining  modes ) Chaining  modes 
which  allow  easily  derived  stage  keys  result  in  reversible  compression  functions  unsuitable 
for  use  in  MDCs  due  to  lack  of  one-wayness  (cf.  Example  9.101).  An  example  of  such 
invertible  key  chaining  methods  is  Bitzer’s  scheme:  Ho  = IV,  Hi  = /(iT,_i,Xj)  = 
Ekt  (Hi-\)  where  fcj  = x,j©s(fTj_i)  and  s(fT,;_i)  is  a function  mapping  chaining  variables 
to  the  key  space.  For  exposition,  let  s be  the  identity  function.  This  compression  function 
is  unsuitable  because  it  falls  to  a meet-in-the-middle  attack  as  outlined  above.  The  ability 
to  move  backwards  through  chaining  variables,  as  required  by  such  an  attack,  is  possible 
here  with  the  chaining  variable  Hi  computed  from  Ht  i i as  follows.  Choose  a fixed  value 
h+i  k,  compute  Hi  <—  Dk(Hi+i ),  then  choose  as  message  block  Xj+ 1 fc©iT,:.  □ 

(iii)  Fixed-point  chaining  attacks 

A fixed  point  of  a compression  function  is  a pair  (H,  i,  Xi)  such  that  Xi)  = H,  i . 

For  such  a pair  of  message  block  and  chaining  value,  the  overall  hash  on  a message  is  un- 
changed upon  insertion  of  an  arbitrary  number  of  identical  blocks  x,  at  the  chain  point  at 
which  that  chaining  value  arises.  Such  attacks  are  thus  of  concern  if  it  can  be  arranged  that 
the  chaining  variable  has  a value  for  which  a fixed  point  is  known.  This  includes  the  fol- 
lowing cases:  if  fixed  points  can  be  found  and  it  can  be  easily  arranged  that  the  chaining 
variable  take  on  a specific  value;  or  if  for  arbitrary  chaining  values  H,  i,  blocks  x;  can 
be  found  which  result  in  fixed-points.  Fixed  points  allow  2nd-preimages  and  collisions  to 
be  produced;  their  effect  can  be  countered  by  inclusion  of  a trailing  length-block  (Algo- 
rithm 9.26). 
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(iv)  Differential  chaining  attacks 

Differential  cryptanalysis  has  proven  to  be  a powerful  tool  for  the  cryptanalysis  of  not  only 
block  ciphers  but  also  of  hash  functions  (including  MACs).  For  multi-round  block  ciphers 
this  attack  method  examines  input  differences  (XORs)  to  round  functions  and  the  corre- 
sponding output  differences,  searching  for  statistical  anomalies.  For  hash  functions,  the 
examination  is  of  input  differences  to  compression  functions  and  the  corresponding  output 
differences;  a collision  corresponds  to  an  output  difference  of  zero. 


9.7.4  Attacks  based  on  properties  of  underlying  cipher 

The  implications  of  certain  properties  of  block  ciphers,  which  may  be  of  no  practical  con- 
cern when  used  for  encryption,  must  be  carefully  examined  when  such  ciphers  are  used 
to  construct  iterated  hash  functions.  The  general  danger  is  that  such  properties  may  facil- 
itate adversarial  manipulation  of  compression  function  inputs  so  as  to  allow  prediction  or 
greater  control  of  outputs  or  relations  between  outputs  of  successive  iterations.  Included 
among  block  cipher  properties  of  possible  concern  are  the  following  (cf.  Chapter  7): 

1.  complementation  property,  y = E^fx)  -t=y.  y = Ej(x),  where  x denotes  bitwise 

complement.  This  makes  it  trivial  to  find  key-message  pairs  of  block  cipher  inputs 
whose  outputs  differ  in  a pre-determined  manner.  For  example,  for  such  a block  ci- 
pher E,  the  compression  function  i,  xf)  = EH  (x,j)®Xj  (a  linear  trans- 

formation of  the  Matyas-Meyer-Oseas  function  ) produces  the  same  output  for  x,  and 
its  bitwise  complement  xj. 

2.  weak  keys:  Ek{Ek(x))  = x (for  all  x).  This  property  of  involution  of  the  block 

cipher  may  allow  an  adversary  to  easily  create  a two-step  fixed  point  of  the  compres- 
sion function  / in  the  case  that  message  blocks  x,  have  direct  influence  on  the  block 
cipher  key  input  (e.g.,  if  / = EXi  insert  2 blocks  x,;  containing  a weak  key). 

The  threat  is  similar  for  semi-weak  keys , where  Ek>  ( Ek(x ))  = x. 

3.  fixed  points:  Ei-(x)  = x.  Block  cipher  fixed  points  may  facilitate  fixed-point  attacks 

if  an  adversary  can  control  the  block  cipher  key  input.  For  example,  for  the  Davies- 
Meyer  compression  function  xf)  = EXi{Hj-i)(BHi-i,  if  iT,_i  is  a fixed 

point  of  the  block  cipher  for  key  Xj  (i.e.,  EXt(H,  !)  = then  this  yields  a 

predictable  compression  function  output  x*)  = 0. 

4.  key  collisions:  £^(x)  = Ef-fx).  These  may  allow  compression  function  collisions. 

Although  they  may  serve  as  distinguishing  metrics,  attacks  which  appear  purely  certi- 

ficational  in  nature  should  be  noted  separately  from  others;  for  example,  fixed  point  attacks 
appear  to  be  of  limited  practical  consequence. 

9.1 03  Example  ( DES-based  hash  functions)  Consider  DES  as  the  block  cipher  in  question  (see 
§7.4).  DES  has  the  complementation  property;  has  4 weak  keys  and  6 pairs  of  semi-weak 
keys  (each  with  bit  2 equal  to  bit  3);  each  weak  key  has  232  fixed  points  (thus  a random 
plaintext  is  a fixed  point  of  some  weak  key  with  probability  2 311 ),  as  do  4 of  the  semi- 
weak  keys;  and  key  collisions  can  be  found  in  232  operations.  The  security  implications  of 
these  properties  must  be  taken  into  account  in  the  design  of  any  DES-based  hash  function. 
Concerns  regarding  both  weak  keys  and  the  complementation  property  can  be  eliminated 
by  forcing  key  bits  2 and  3 to  be  10  or  01  within  the  compression  function.  □ 
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9.8  Notes  and  further  references 

§9.1 

The  definitive  reference  for  cryptographic  hash  functions,  and  an  invaluable  source  for  the 
material  in  this  chapter  (including  many  otherwise  unattributed  results),  is  the  comprehen- 
sive treatment  of  Preneel  [1003,  1004];  see  also  the  surveys  of  Preneel  [1002]  and  Preneel, 
Govaerts,  and  Vandewalle  [1006],  Davies  and  Price  [308]  also  provide  a solid  treatment 
of  message  authentication  and  data  integrity.  An  extensive  treatment  of  conventional  hash- 
ing, including  historical  discussion  tracing  origins  back  to  IBM  in  1953,  is  given  by  Knuth 
[693,  p.506-549].  Independent  of  cryptographic  application,  universal  classes  ofhashfunc- 
tions  were  introduced  by  Carter  and  Wegman  [234]  in  the  late  1970s,  the  idea  being  to  find 
a class  of  hash  functions  such  that  for  every  pair  of  inputs,  the  probability  was  low  that  a 
randomly  chosen  function  from  the  class  resulted  in  that  pair  colliding.  Shortly  thereafter, 
Wegman  and  Carter  [1234]  noted  the  cryptographic  utility  of  these  hash  functions,  when 
combined  with  secret  keys,  for  (unconditionally  secure)  message  authentication  tag  sys- 
tems; they  formalized  this  concept,  earlier  considered  by  Gilbert,  Mac  Williams,  and  Sloane 
[454]  (predating  the  concept  of  digital  signatures)  who  attribute  the  problem  to  Simmons. 
Simmons  ([1138], [1144];  see  also  Chapter  10  of  Stinson  [1178])  independently  developed 
a general  theory  of  unconditionally  secure  message  authentication  schemes  and  the  subject 
of  authentication  codes  (see  also  §9.5  below). 

Rabin  [1022,  1023]  first  suggested  employing  a one-way  hash  function  (constructed  by  us- 
ing successive  message  blocks  to  key  an  iterated  block  encryption)  in  conjunction  with  a 
one-time  signature  scheme  and  later  in  a public-key  signature  scheme;  Rabin  essentially 
noted  the  requirements  of  2nd-preimage  resistance  and  collision  resistance.  Merkle  [850] 
explored  further  uses  of  one-way  hash  functions  for  authentication,  including  the  idea  of 
tree  authentication  [852]  for  both  one-time  signatures  and  authentication  of  public  files. 

§9.2 

Merkle  [850]  (partially  published  as  [853])  was  the  first  to  give  a substantial  ( informal)  def- 
inition of  one-way  hash  functions  in  1979,  specifying  the  properties  of  preimage  and  2nd- 
preimage  resistance.  Foreshadowing  UOWHFs  (see  below),  he  suggested  countering  the 
effect  of  Remark  9.36  by  using  slightly  different  hash  functions  h over  time;  Merkle  [850, 
p.  16-18]  also  proposed  a public  key  distribution  method  based  on  a one-way  hash  function 
(effectively  used  as  a one-way  pseudo-permutation)  and  the  birthday  paradox,  in  a precur- 
sor to  his  “puzzle  system”  (see  page  537).  The  first  formal  definition  of  a CRHF  was  given 
in  1988  by  Damgard  [295]  (an  informal  definition  was  later  given  by  Merkle  [855,  854]; 
see  also  [853]),  who  was  first  to  explore  collision  resistant  hash  functions  in  a complexity- 
theoretic  setting.  Working  from  the  idea  of  claw-resistant  pairs  of  trapdoor  permutations 
due  to  Goldwasser,  Micali,  and  Rivest  [484],  Damgard  defined  claw-resistant  families  of 
permutations  (without  the  trapdoor  property).  The  term  claw-resistant  (originally:  claw- 
free)  originates  from  the  pictorial  representation  of  a functional  mapping  showing  two  dis- 
tinct domain  elements  being  mapped  to  the  same  range  element  under  distinct  functions  / W 
and  /W  (colliding  at  z = f^(x)  = fd)  (y)),  thereby  tracing  out  a claw. 

Goldwasser  et  al.  [484]  established  that  the  intractability  of  factoring  suffices  for  the  exis- 
tence of  claw-resistant  pairs  of  permutations.  Damgard  showed  that  the  intractability  of  the 
discrete  logarithm  problem  likewise  suffices.  Using  several  reasonably  efficient  number- 
theoretic  constructions  for  families  of  claw-resistant  permutations,  he  gave  the  first  prov- 
ably  collision  resistant  hash  functions,  under  such  intractability  assumptions  (for  discrete 
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logarithms,  the  assumption  required  is  that  taking  specific  discrete  logarithms  be  difficult). 
Russell  [1088]  subsequently  established  that  a collection  of  collision  resistant  hash  func- 
tions exists  if  and  only  if  there  exists  a collection  of  claw-resistant  pairs  of  pseudo-permu- 
tations; a pseudo-permutation  on  a set  is  a function  computationally  indistinguishable  from 
a permutation  (pairs  of  elements  demonstrating  non-injectivity  are  hard  to  find  ).  It  remains 
open  whether  the  existence  of  one-way  functions  suffices  for  the  existence  of  collision  re- 
sistant hash  functions. 

The  definition  of  a one-way  function  (Definition  9.9)  was  given  in  the  seminal  paper  of 
Diffie  and  Heilman  [345],  along  with  the  use  of  the  discrete  exponential  function  modulo 
a prime  as  a candidate  OWF,  which  they  credit  to  Gill.  The  idea  of  providing  the  hash- 
value  of  some  data,  to  indicate  prior  commitment  to  (or  knowledge  of)  that  data,  was  uti- 
lized in  Lamport’s  one-time  signature  scheme  (circa  1976);  see  page  485.  The  OWF  of 
Example  9.13  was  known  to  Matyas  and  Meyer  circa  1979.  As  noted  by  Massey  [786],  the 
idea  of  one-wayness  was  published  in  1873  by  J.S.  Jevons,  who  noted  (preceding  RSA  by  a 
century)  that  multiplying  two  primes  is  easy  whereas  factoring  the  result  is  not.  Published 
work  dated  1968  records  the  use  of  ciphers  essentially  as  one-way  functions  (decryption 
was  not  required)  in  a technique  to  avoid  storing  cleartext  computer  account  passwords  in 
time-shared  systems.  These  were  referred  to  as  one-way  ciphers  by  Wilkes  [1244]  (p.91- 
93  in  1968  or  1972  editions;  p.147  in  1975  edition),  who  credits  Needham  with  the  idea 
and  an  implementation  thereof.  The  first  proposal  of  a non-invertible  function  for  the  same 
purpose  appears  to  be  that  of  Evans,  Kantrowitz,  and  Weiss  [375],  while  Purdy  [1012]  pro- 
posed extremely  high-degree,  sparse  polynomials  over  a prime  field  as  a class  of  functions 
which  were  computationally  difficult  to  invert.  Foreshadowing  later  research  into  collision 
resistance,  Purdy  also  defined  the  degeneracy  of  such  a function  to  be  the  maximum  number 
of  preimages  than  any  image  could  have,  noting  that  “if  the  degeneracy  is  catastrophically 
large  there  may  be  no  security  at  all”. 

Naor  and  Yung  [920]  introduced  the  cryptographic  primitive  known  as  a universal  one-way 
hash  function  ( UOWHF)  family,  and  give  a provably  secure  construction  for  a one-way  hash 
function  from  a one-way  hash  function  which  compresses  by  a single  bit  (t  + 1 to  t bits); 
the  main  property  of  a UOWHF  family  is  2nd-preimage  resistance  as  for  a OWHF,  but  here 
an  instance  of  the  function  is  picked  at  random  from  a family  of  hash  functions  after  fixing 
an  input,  as  might  be  modeled  in  practice  by  using  a random  IV  with  a OWHF.  Naor  and 
Yung  [920]  also  prove  by  construction  that  UOWHFs  exist  if  and  only  if  one-way  permu- 
tations do,  and  show  how  to  use  UOWHFs  to  construct  provably  secure  digital  signature 
schemes  assuming  the  existence  of  any  one-way  permutation.  Building  on  this,  Rompel 
[1068]  showed  how  to  construct  a UOWHF  family  from  any  one-way  function,  and  based 
signature  schemes  on  such  hash  functions;  combining  this  with  the  fact  that  a one-way  func- 
tion can  be  constructed  from  any  secure  signature  scheme,  the  result  is  that  the  existence  of 
one-way  functions  is  necessary  and  sufficient  for  the  existence  of  secure  digital  signature 
schemes.  De  Santis  and  Yung  [318]  proceed  with  more  efficient  reductions  from  one-way 
functions  to  UOWHFs,  and  show  the  equivalence  of  a number  of  complexity-theoretic  def- 
initions regarding  collision  resistance.  Impagliazzo  and  Naor  [569]  give  an  efficient  con- 
struction for  a UOWHF  and  prove  security  equivalent  to  the  subset-sum  problem  (an  NP- 
hard  problem  whose  corresponding  decision  problem  is  NP-complete);  for  parameters  for 
which  a random  instance  of  subset-sum  is  hard,  they  argue  that  this  UOWHF  is  secure  (cf. 
Remark  9.12).  Impagliazzo,  Levin,  and  Luby  [568]  prove  the  existence  of  one-way  func- 
tions is  necessary  and  sufficient  for  that  of  secure  pseudorandom  generators. 

Application-specific  (often  improvable)  hash  function  properties  beyond  collision  resist- 
ance (but  short  of  preimage  resistance)  may  often  be  identified  as  necessary,  e.g.,  for  or- 
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dinary  RSA  signatures  computed  directly  after  hashing,  the  multiplicative  RSA  property 
dictates  that  for  the  hash  function  h used  it  be  infeasible  to  find  messages  x,  x\,  xi  such 
that  h(x)  = h(xi)  ■ h(x 2).  Anderson  [27]  discusses  such  additional  requirements  on  hash 
functions.  For  a summary  of  requirements  on  a MAC  in  the  special  case  of  multi-cast  au- 
thentication, see  Preneel  [1003],  Bellare  and  Rogaway  [93]  include  discussion  of  issues 
related  to  the  random  nature  of  practical  hash  functions,  and  cryptographic  uses  thereof. 
Damgard  [295]  showed  that  the  security  of  a digital  signature  scheme  which  is  not  existen- 
tially forgeable  under  an  adaptive  chosen-message  attack  will  not  be  decreased  if  used  in 
conjunction  with  a collision-resistant  hash  function. 

Bellare,  Goldreich,  and  Goldwasser  [88]  (see  also  [89])  introduce  the  idea  of  incremental 
hashing,  involving  computing  a hash  value  over  data  and  then  updating  the  hash-value  after 
changing  the  data;  the  objective  is  that  the  computation  required  for  the  update  be  propor- 
tional to  the  amount  of  change. 

Merkle’s  meta-method  [854]  (Algorithm  9.25)  was  based  on  ideas  from  his  1979  Ph.D.  the- 
sis [850].  An  equivalent  construction  was  given  by  Damgard  [296],  which  Gibson  [450] 
remarks  on  again  yielding  Merkle's  method.  Naor  and  Yung  [920]  give  a related  construc- 
tion for  a UOWHF.  See  Preneel  [1003]  for  fundamental  results  (cf.  Remarks  9.35  and  9.36, 
and  Fact  9.27  on  cascading  hash  functions  which  follow  similar  results  on  stream  ciphers 
by  Maurer  and  Massey  [822]).  The  padding  method  of  Algorithms  9.29  and  9.30  originated 
from  ISO/IEC  10118-4  [608].  The  basic  idea  of  the  long-message  attack  (Fact  9.37)  is  from 
Winternitz  [1250]. 

The  hash  function  of  Algorithm  9.42  and  referred  to  as  Davies-Meyer  (as  cited  per  Quis- 
quater  and  Girault  [1019])  has  been  attributed  by  Davies  to  Meyer;  apparently  known  to 
Meyer  and  Matyas  circa  1979,  it  was  published  along  with  Algorithm  9.41  by  Matyas, 
Meyer,  and  Oseas  [805].  The  Miyaguchi-Preneel  scheme  (Algorithm  9.43)  was  proposed 
circa  1989  by  Preneel  [1003],  and  independently  by  Miyaguchi,  Ohta,  and  Iwata  [886].  The 
three  single-length  rate-one  schemes  discussed  (Remark  9.44)  are  among  12  compression 
functions  employing  non-invertible  chaining  found  through  systematic  analysis  by  Preneel 
et  al.  [1007]  to  be  provably  secure  under  black-box  analysis,  8 being  certificationally  vul- 
nerable to  fixed-point  attack  nonetheless.  These  12  are  linear  transformations  on  the  mes- 
sage block  and  chaining  variable  (i.e.,  [x1 . H']  = A[x.  H]  for  any  of  the  6 invertible  2x2 
binary  matrices  A)  of  the  Matyas-Meyer-Oseas  (Algorithm  9.41)  and  Miyaguchi-Preneel 
schemes;  these  latter  two  themselves  are  among  the  4 recommended  when  the  underlying 
cipher  is  resistant  to  differential  cryptanalysis  (e.g.,  DES),  while  Davies-Meyer  is  among 
the  remaining  8 recommended  otherwise  (e.g.,  for  FEAL).  MDC-2  and  MDC-4  are  of  IBM 
origin,  proposed  by  Brachtl  et  al.  [184],  and  reported  by  Meyer  and  Schilling  [860];  details 
of  MDC-2  are  also  reported  by  Matyas  [803],  For  a description  of  MDC-4,  see  Bosselaers 
and  Preneel  [178], 

The  DES-based  hash  function  of  Merkle  [855]  which  is  mentioned  uses  the  meta-method 
and  employs  a compression  function  / mapping  119-bit  input  to  112-bit  output  in  2 DES 
operations,  allowing  7-bit  message  blocks  to  be  processed  (with  rate  0.055).  An  optimized 
version  maps  234  bits  to  128  bits  in  6 DES  operations,  processing  106-bit  message  blocks 
(with  rate  0.276);  unfortunately,  overheads  related  to  “bit  chopping”  and  the  inconvenient 
block  size  are  substantial  in  practice.  This  construction  is  provably  as  secure  as  the  under- 
lying block  cipher  assuming  an  unflawed  cipher  (cf.  Table  9.3;  Preneel  [1003]  shows  that 
accounting  for  DES  weak  keys  and  complementation  drops  the  rate  slightly  to  0.266).  Win- 
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temitz  [1250]  considers  the  security  of  the  Davies-Meyer  hash  under  a black-box  model  (cf. 
Remark  9.45). 

The  search  for  secure  double-length  hash  functions  of  rate  1 is  ongoing,  the  goal  being 
security  better  than  single-length  Matyas-Meyer-Oseas  and  approaching  that  of  MDC-2. 
Quisquater  and  Girault  [1019]  proposed  two  functions,  one  (QG-original)  appearing  in  the 
Abstracts  of  Eurocrypt’89  and  a second  (QG-revised)  in  the  final  proceedings  altered  to 
counter  an  attack  of  Coppersmith  [276]  on  the  first.  The  attack,  restricted  to  the  case  of 
DES  as  underlying  block  cipher,  uses  fixed  points  resulting  from  weak  keys  to  find  colli- 
sions in  236  DES  operations.  A general  attack  of  Knudsen  and  Lai  [688],  which  (unfortu- 
nately) applies  to  a large  class  of  double-length  (i.e.,  2/i-bit)  rate-one  block-cipher-based 
hashes  including  QG-original,  finds  preimages  in  about  2"  operations  plus  2"  storage.  The 
systematic  method  used  to  establish  this  result  was  earlier  used  by  Hohl  et  al.  [560]  to  prove 
that  pseudo-preimage  and  pseudo-collision  attacks  on  a large  class  of  double-length  hash 
functions  of  rate  1/2  and  1 , including  MDC-2,  are  no  more  difficult  than  on  the  single-length 
rate-one  Davies-Meyer  hash;  related  results  are  summarized  by  Lai  and  Knudsen  [727]. 
A second  attack  due  to  Coppersmith  [276],  not  restricted  to  DES,  employs  88  correcting 
blocks  to  find  collisions  for  QG-revised  in  240  steps.  Another  modification  of  QG-original, 
the  LOKI  Double  Hash  Function  (LOKI-DBH)  of  Brown,  Pieprzyk,  and  Seberry  [215],  ap- 
pears as  a general  construction  to  offer  the  same  security  as  QG-revised  (provided  the  un- 
derlying block  cipher  is  not  LOKI). 

The  speeds  in  Table  9.5  are  normalized  from  the  timings  reported  by  Dobbertin,  Bosse- 
laers,  and  Preneel  [355],  relative  to  an  assembly  code  MD4  implementation  optimized  for 
the  Pentium  processor,  with  a throughput  (90  MHz  clock)  of  165.7  Mbit/s  (optimized  C 
code  was  roughly  a factor  of  2 slower).  See  Bosselaers,  Govaerts,  and  Vandewalle  [177] 
for  a detailed  MD5  implementation  discussion. 

MD4  and  MD5  (Algorithms  9.49,  9.51)  were  designed  by  Rivest  [1055,  1035],  An  Aus- 
tralian extension  of  MD5  known  as  HAVAL  has  also  been  proposed  by  Zheng,  Pieprzyk, 
and  Seberry  [1268].  The  first  published  partial  attack  on  MD4  was  by  den  Boer  and  Bosse- 
laers [324],  who  demonstrated  collisions  could  be  found  when  Round  1 (of  the  three)  was 
omitted  from  the  compression  function,  and  confirmed  unpublished  work  of  Merkle  show- 
ing that  collisions  could  be  found  (for  input  pairs  differing  in  only  3 bits)  in  under  a mil- 
lisecond on  a personal  computer  if  Round  3 was  omitted.  More  devastating  was  the  partial 
attack  by  Vaudenay  [1215]  on  the  full  MD4,  which  provided  only  near-collisions,  but  al- 
lowed sets  of  inputs  to  be  found  for  which,  of  the  corresponding  four  32-bit  output  words, 
three  are  constant  while  the  remaining  word  takes  on  all  possible  32-bit  values.  This  re- 
vealed the  word  access-order  in  MD4  to  be  an  unfortunate  choice.  Finally,  late  in  1995, 
using  techniques  related  to  those  which  earlier  allowed  a partial  attack  on  RIPEMD  (see 
below),  Dobbertin  [354]  broke  MD4  as  a CRHF  by  finding  not  only  collisions  as  stated  in 
Remark  9.50  (taking  a few  seconds  on  a personal  computer),  but  collisions  for  meaningful 
messages  (in  under  one  hour,  requiring  20  free  bytes  at  the  start  of  the  messages). 

A first  partial  attack  on  MD5  was  published  by  den  Boer  and  Bosselaers  [325],  who  found 
pseudo-collisions  for  its  compression  function  /,  which  maps  a 128-bit  chaining  variable 
and  sixteen  32-bit  words  down  to  128-bits;  using  216  operations,  they  found  a 16-word 
message  X and  chaining  variables  Si  =7  S‘>  (these  differing  only  in  4 bits,  the  most  sig- 
nificant of  each  word),  such  that  = /(S2,  X).  Because  this  specialized  internal 

pseudo-collision  could  not  be  extended  to  an  external  collision  due  to  the  fixed  initial  chain- 
ing values  (and  due  to  the  special  relation  between  the  inputs),  this  attack  was  considered  by 
many  to  have  little  practical  significance,  although  exhibiting  a violation  of  the  design  goal 
to  build  a CRHF  from  a collision  resistant  compression  function.  But  in  May  of  1996,  us- 
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ing  techniques  related  to  his  attack  on  MD4  above,  Dobbertin  (rump  session.  Eurocrypt’ 96) 
found  MD5  compression  function  collisions  (Remark  9.52)  in  10  hours  on  a personal  com- 
puter (about  234  compress  function  computations). 

Anticipating  the  feasibility  of  264  operations,  Rivest  [1055]  proposed  a method  to  extend 
MD4  to  256  bits  by  running  two  copies  of  MD4  in  parallel  over  the  input,  with  different 
initial  chaining  values  and  constants  for  the  second,  swapping  the  values  of  the  variable  A 
with  the  first  after  processing  each  16-word  block  and,  upon  completion,  concatenating  the 
128-bit  hash-values  from  each  copy.  However,  in  October  of  1995  Dobbertin  [352]  found 
collisions  for  the  compression  function  of  extended  MD4  in  226  compress  function  opera- 
tions, and  conjectured  that  a more  sophisticated  attack  could  find  a collision  for  extended 
MD4  itself  in  0(240)  operations. 

MD2,  an  earlier  and  slower  hash  function,  was  designed  in  1988  by  Rivest;  see  Kaliski 
[1033]  for  a description.  Rogier  and  Chauvaud  [1067]  demonstrated  that  collisions  can  be 
efficiently  found  for  the  compression  function  of  MD2,  and  that  the  MD2  checksum  block 
is  necessary  to  preclude  overall  MD2  collisions. 

RIPEMD  [178]  was  designed  in  1992  by  den  Boer  and  others  under  the  European  RACE 
Integrity  Primitives  Evaluation  (RIPE)  project.  A version  of  MD4  strengthened  to  counter 
known  attacks,  its  compression  function  has  two  parallel  computation  lines  of  three  16- 
step  rounds.  Nonetheless,  early  in  1995,  Dobbertin  [353]  demonstrated  that  if  the  first  or 
last  (parallel)  round  of  the  3-round  RIPEMD  compress  function  is  omitted,  collisions  can 
be  found  in  231  compress  function  computations  (one  day  on  a 66  MHz  personal  com- 
puter). This  result  coupled  with  concern  about  inherent  limitations  of  128-bit  hash  results 
motivated  RIPEMD-160  (Algorithm  9.55)  by  Dobbertin,  Bosselaers,  and  Preneel  [355]; 
but  for  corrections,  see  the  directory  /pub/COSIC/bosselae/ripemd/  at  ftp  site 
ftp  . esat . kuleuven  . ac  . be.  Increased  security  is  provided  by  five  rounds  (each 
with  two  lines)  and  greater  independence  between  the  parallel  lines,  at  a performance 
penalty  of  a factor  of  2.  RIPEMD-128  (with  128-bit  result  and  chaining  variable)  was  si- 
multaneously proposed  as  a drop-in  upgrade  for  RIPEMD;  it  scales  RIPEMD-160  back  to 
four  rounds  (each  with  two  lines). 

SHA-1  (Algorithm  9.53)  is  a U.S.  government  standard  [404],  It  differs  from  the  original 
standard  SHA  [403],  which  it  supersedes,  only  in  the  inclusion  of  the  1-bit  rotation  in  the 
block  expansion  from  16  to  80  words.  For  discussion  of  how  this  expansion  in  SHA  is  re- 
lated to  linear  error  correcting  codes,  see  Preneel  [1004], 

Lai  and  Massey  [729]  proposed  two  hash  functions  of  rate  1/2  with  2m-bit  hash  values. 
Tandem  Davies-Meyer  and  Abreast  Davies -Meyer,  based  on  an  m-bit  block  cipher  with  2 m- 
bit  key  (e.g.,  IDEA),  and  a third  m-bit  hash  function  using  a similar  block  cipher.  Merkle’s 
public-domain  hash  function  Snefru  [854]  and  the  FEAL-based  N-Hash  proposed  by  Miya- 
guchi,  Ohta,  and  Iwata  [886]  are  other  hash  functions  which  have  attracted  considerable  at- 
tention. Snefru,  one  of  the  earliest  proposals,  is  based  on  the  idea  of  Algorithm  9.41,  (typi- 
cally) using  as  E the  first  128  bits  of  output  of  a custom-designed  symmetric  5 12-bit  block 
cipher  with  fixed  key  k = 0.  Differential  cryptanalysis  has  been  used  by  Biham  and  Shamir 
[137]  to  find  collisions  for  Snefru  with  2 passes,  and  is  feasible  for  Snefru  with  4 passes; 
Merkle  currently  recommends  8 passes  (impacting  performance).  Cryptanalysis  of  the  128- 
bit  hash  N-Hash  has  been  carried  out  by  Biham  and  Shamir  [136],  with  attacks  on  3,  6,  9, 
and  12  rounds  being  of  respective  complexity  28,  224,  240,  and  256  for  the  more  secure  of 
the  two  proposed  variations. 

Despite  many  proposals,  few  hash  functions  based  on  modular  arithmetic  have  withstood 
attack,  and  most  that  have  (including  those  which  are  provably  secure)  tend  to  be  relatively 
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inefficient.  MASH-1  (Algorithm  9.56),  from  Committee  Draft  ISO/IEC  10118-4  [608], 
evolved  from  a long  line  of  related  proposals  successively  broken  and  repaired,  includ- 
ing contributions  by  Jueneman;  Davies  and  Price;  A.  Jung;  Girault  [457]  (which  includes  a 
summary);  and  members  of  ISO  SC27/WG2  circa  1994-95  (e.g.,  in  response  to  the  crypt- 
analysis of  the  1994  draft  proposal,  by  Coppersmith  and  Preneel,  in  ISO/IEC  JTC1/SC27 
N1055,  Attachment  12,  “Comments  on  MASH-1  and  MASH-2  (Feb.21  1995)”).  Most 
prominent  among  prior  proposals  was  the  sqmodn  algorithm  (due  to  Jung)  in  informative 
Annex  D of  CCITT  Recommendation  X.509  (1988  version),  which  despite  suffering  ig- 
nominy at  the  hands  of  Coppersmith  [275],  was  resurrected  with  modifications  as  the  basis 
for  MASH- 1. 

Simmons  [1146]  notes  that  techniques  for  message  authentication  without  secrecy  (today 
called  MACs)  were  known  to  Simmons,  Stewart,  and  Stokes  already  in  the  early  1970s. 
In  the  open  literature,  the  idea  of  using  DES  to  provide  a MAC  was  presented  already  in 
Feb.  1977  by  Campbell  [230],  who  wrote  . . Each  group  of  64  message  bits  is  passed 
through  the  algorithm  after  being  combined  with  the  output  of  the  previous  pass.  The  final 
DES  output  is  thus  a residue  which  is  a cryptographic  function  of  the  entire  message”,  and 
noted  that  to  detect  message  replay  or  deletion  each  message  could  be  made  unique  by  using 
per-message  keys  or  cryptographically  protected  sequence  numbers.  Page  121  of  this  same 
publication  describes  the  use  of  encryption  in  conjunction  with  an  appended  redundancy 
check  code  for  manipulation  detection  (cf.  Figure  9.8(b)). 

The  term  MAC  itself  evolved  in  the  period  1979-1982  during  development  of  ANSI  X9.9 
[36],  where  it  is  defined  as  “an  eight-digit  number  in  hexadecimal  format  which  is  the  result 
of  passing  a financial  message  through  the  authentication  algorithm  using  a specific  key.” 
FIPS  81  [398]  standardizes  MACs  based  on  CBC  and  CFB  modes  (CFB-based  MACs  are 
little-used,  having  some  disadvantages  over  CBC-MAC  and  apparently  no  advantages);  see 
also  FIPS  1 1 3 [400],  Algorithm  9.58  is  generalized  by  ISO/IEC  9797  [597]  to  a CBC-based 
MAC  for  an  n-bit  block  cipher  providing  an  m-bit  MAC,  m < n,  including  an  alternative  to 
the  optional  strengthening  process  of  Algorithm  9.58:  a second  key  k'  (possibly  dependent 
on  k)  is  used  to  encrypt  the  final  output  block.  As  discussed  in  Chapter  15,  using  ISO/IEC 
9797  with  DES  to  produce  a 32-bit  MAC  and  Algorithm  9.29  for  padding  is  equivalent 
to  the  MAC  specified  in  ISO  8731-1,  ANSI  X9.9  and  required  by  ANSI  X9.17.  Regard- 
ing RIPE-MAC  (Example  9.63)  [178],  other  than  the  2 64  probability  of  guessing  a 64-bit 
MAC,  and  MAC  forgery  as  applicable  to  all  iterated  MACs  (see  below),  the  best  known  at- 
tacks providing  key  recovery  are  linear  cryptanalysis  using  242  known  plaintexts  for  RIPE- 
MAC1,  and  a 2112  exhaustive  search  for  RIPE-MAC3.  Bellare,  Kilian,  and  Rogaway  [91] 
formally  examine  the  security  of  CBC-based  MACs  and  provide  justification,  establishing 
(via  exact  rather  than  asymptotic  arguments)  that  pseudorandom  functions  are  preserved 
under  cipher  block  chaining;  they  also  propose  solutions  to  the  problem  of  Example  9.62 
(cf.  Remark  9.59). 

The  MAA  (Algorithm  9.68)  was  developed  in  response  to  a request  by  the  Bankers  Auto- 
mated Clearing  Services  (U.K.),  and  first  appeared  as  a U.K.  National  Physical  Laboratory 
Report  (NPL  Report  DITC  17/83  February  1983).  It  has  been  part  of  an  ISO  banking  stan- 
dard [577]  since  1987,  and  is  due  to  Davies  and  Clayden  [306];  comments  on  its  security 
(see  also  below)  are  offered  by  Preneel  [1003],  Davies  [304],  and  Davies  and  Price  [308], 
who  note  that  its  design  follows  the  general  principles  of  the  Decimal  Shift  and  Add  (DSA) 
algorithm  proposed  by  Sievi  in  1980.  As  a consequence  of  the  conjecture  that  MAA  may 
show  weaknesses  in  the  case  of  very  long  messages,  ISO  8731-2  specifies  a special  mode 
of  operation  for  messages  over  1024  bytes.  For  more  recent  results  on  MAA  including  ex- 
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ploration  of  a key  recovery  attack,  see  Preneel  and  van  Oorschot  [1010]. 

Methods  for  constructing  a MAC  algorithm  from  an  MDC,  including  the  secret  prefix,  suf- 
fix, and  envelope  methods,  are  discussed  by  Tsudik  [1196];  Galvin,  McCloghrie,  and  Davin 
[438]  suggest  addressing  the  message  extension  problem  (Example  9.65)  in  the  secret  suf- 
fix method  by  using  a prepended  length  field  (this  requires  two  passes  over  the  message 
if  the  length  is  not  known  a priori).  Preneel  and  van  Oorschot  [1009]  compare  the  secu- 
rity of  these  methods;  propose  MD5-MAC  (Algorithm  9.69)  and  similar  constructions  for 
customized  MAC  functions  based  on  RIPEMD  and  SHA;  and  provide  Fact  9.57,  which  ap- 
plies to  MAA  (n  = 64  = 2m)  with  u = 232'5  and  v = 232'3,  while  for  MD5-MAC 
(n  = 128  = 2m)  both  u and  v are  on  the  order  of  264.  Remark  9.60  notwithstanding, 
the  use  of  an  n-bit  internal  chaining  variable  with  a MAC-value  of  bitlength  m = n/2  is 
supported  by  these  results. 

The  envelope  method  with  padding  (Example  9.66)  is  discussed  by  Kaliski  and  Robshaw 
(' CryptoBytes  vol.l  no.l.  Spring  1995).  Preneel  and  van  Oorschot  [1010]  proposed  a key 
recovery  attack  on  this  method,  which  although  clearly  impractical  by  requiring  over  264 
known  text-MAC  pairs  (for  MD5  with  128-bit  key),  reveals  an  architectural  flaw.  Bellare, 
Canetti,  and  Krawczyk  [86]  rigorously  examined  the  security  of  a nested  MAC  construction 
(NMAC),  and  the  practical  variation  HMAC  thereof  (Example  9.67),  proving  HMAC  to  be 
secure  provided  the  hash  function  used  exhibits  certain  appropriate  characteristics.  Prior 
to  this,  the  related  construction  h(k±  j \h(k2\\x))  was  considered  in  the  note  of  Kaliski  and 
Robshaw  (see  above). 

Other  recent  proposals  for  practical  MACs  include  the  bucket  hashing  construction  of  Rog- 
away  [1065],  and  the  XOR  MAC  scheme  of  Bellare,  Guerin,  and  Rogaway  [90].  The  latter 
is  a provably  secure  construction  for  MACs  under  the  assumption  of  the  availability  of  a 
finite  pseudorandom  function,  which  in  practice  is  instantiated  by  a block  cipher  or  hash 
function;  advantages  include  that  it  is  parallelizable  and  incremental. 

MACs  intended  to  provide  unconditional  security  are  often  called  authentication  codes  (cf. 
§9.1  above),  with  an  authentication  tag  (cf.  MAC  value)  accompanying  data  to  provide 
origin  authentication  (including  data  integrity).  More  formally,  an  authentication  code  in- 
volves finite  sets  S of  source  states  (plaintext),  A of  authentication  tags,  and  K.  of  secret 
keys,  and  a set  of  rules  such  that  each  k G 1C  defines  a mapping  ex  '■  S — * A.  An  ( authen- 
ticated) message,  consisting  of  a source  state  and  a tag,  can  be  verified  only  by  the  intended 
recipient  (as  for  MACs)  possessing  a pre-shared  key.  Wegman  and  Carter  [1234]  first  com- 
bined one-time  pads  with  hash  functions  for  message  authentication;  this  approach  was  pur- 
sued by  Brassard  [191]  trading  unconditional  security  for  short  keys. 

This  approach  was  further  refined  by  Krawczyk  [714]  (see  also  [717]),  whose  CRC -based 
scheme  (Algorithm  9.72)  is  a minor  modification  of  a construction  by  Rabin  [1026].  A sec- 
ond LFSR-based  scheme  proposed  by  Krawczyk  for  producing  m-bit  hashes  (again  com- 
bined with  one-time  pads  as  per  Algorithm  9.72)  improves  on  a technique  of  Wegman  and 
Carter,  and  involves  matrix-vector  multiplication  by  an  mxb  binary  Toeplitz  matrix  A (each 
left-to-right  diagonal  is  fixed:  A,;  j = Af-j  for  k — i = l — j),  itself  generated  from  a ran- 
dom binary  irreducible  polynomial  of  degree  m (defining  the  LFSR),  and  m bits  of  initial 
state.  Krawczyk  proves  that  the  probability  of  successful  MAC  forgery  here  for  a 6-bit  mes- 
sage is  at  most  b/ 2m~1,  e.g.,  less  than  2~30  even  for  m = 64  and  a 1 Gbyte  message  (cf. 
Fact  9.73).  Earlier,  Bierbrauer  et  al.  [127]  explored  the  relations  between  coding  theory, 
universal  hashing,  and  practical  authentication  codes  with  relatively  short  keys  (see  also 
Johansson,  Kabatianskii,  and  Smeets  [638];  and  the  survey  of  van  Tilborg  [1211]).  These 
and  other  MAC  constructions  suitable  for  use  with  stream  ciphers  are  very  fast,  scalable. 
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and  information-theoretically  secure  when  the  short  keys  they  require  are  used  as  one-time 
pads;  when  used  with  key  streams  generated  by  pseudorandom  generators,  their  security  is 
dependent  on  the  stream  and  (at  best)  computationally  secure. 

Desmedt  [335]  investigated  authenticity  in  stream  ciphers,  and  proposed  both  uncondition- 
ally secure  authentication  systems  and  stream  ciphers  providing  authenticity.  Lai,  Rueppel, 
and  Woollven  [731]  define  an  efficient  MAC  for  use  with  stream  ciphers  (but  see  Preneel 
[1003]  regarding  a modification  to  address  tampering  with  ends  of  messages).  Part  of  an 
initial  secret  key  is  used  to  seed  a key  stream  generator,  each  bit  of  which  selectively  routes 
message  bits  to  one  of  two  feedback  shift  registers  (FSRs),  the  initial  states  of  which  are  part 
of  the  secret  key  and  the  final  states  of  which  comprise  the  MAC.  The  number  of  pseudoran- 
dom bits  required  equals  the  number  of  message  bits.  Taylor  [1189]  proposes  an  alternate 
MAC  technique  for  use  with  stream  ciphers. 

Simmons  [1144]  notes  the  use  of  sealed  authenticators  by  the  U.S.  military.  An  early  pre- 
sentation of  MACs  and  authentication  is  given  by  Meyer  and  Matyas  [859] ; the  third  or  later 
printings  are  recommended,  and  include  the  one-pass  PCBC  encryption-integrity  method  of 
Example  9.91.  Example  9.89  was  initially  proposed  by  the  U.S.  National  Bureau  of  Stan- 
dards, and  was  subsequently  found  by  Jueneman  to  have  deficiencies;  this  is  included  in  the 
extensive  discussion  by  Jueneman,  Matyas,  and  Meyer  [645]  of  using  MDCs  for  integrity, 
along  with  the  idea  of  Example  9.90,  which  Davies  and  Price  [308,  p.  124]  also  consider  for 
n = 16.  Later  work  by  Jueneman  [644]  considers  both  MDCs  and  MACs;  see  also  Meyer 
and  Schilling  [860] . Davies  and  Price  also  provide  an  excellent  discussion  of  transaction  au- 
thentication, noting  additional  techniques  (cf.  §9.6.1)  addressing  message  replay  including 
use  of  MAC  values  themselves  from  immediately  preceding  messages  as  chaining  values  in 
place  of  random  number  chaining.  Subtle  flaws  in  various  fielded  data  integrity  techniques 
are  discussed  by  Stubblebine  and  Gligor  [1179]. 

The  taxonomy  of  preimages  and  collisions  is  from  Preneel  [1003].  The  alternate  terminol- 
ogy of  Note  9.94  is  from  Lai  and  Massey  [729],  who  published  the  first  systematic  treatment 
of  attacks  on  iterated  hash  functions,  including  relationships  between  fixed-start  and  free- 
start  attacks,  considered  ideal  security,  and  re-examined  MD-strengthening.  The  idea  of 
Algorithm  9.92  was  published  by  Yuval  [1262],  but  the  implications  of  the  birthday  para- 
dox were  known  to  others  at  the  time,  e.g.,  see  Merkle  [850,  p.12-13].  The  details  of  the 
memoryless  version  are  from  van  Oorschot  and  Wiener  [1207],  who  also  show  the  process 
can  be  perfectly  parallelized  (i.e.,  attaining  a factor  r speedup  with  r processors)  using  par- 
allel collision  search  methods;  related  independent  work  (unpublished)  has  been  repotted 
by  Quisquater. 

Meet-in- the-middle  chaining  attacks  can  be  extended  to  handle  additional  constraints  and 
otherwise  generalized.  A “triple  birthday”  chaining  attack,  applicable  when  the  compres- 
sion function  is  invertible,  is  given  by  Coppersmith  [267]  and  generalized  by  Girault,  Co- 
hen, Campana  [460];  see  also  Jueneman  [644].  For  additional  discussion  of  differential 
cryptanalysis  of  hash  functions  based  on  block  ciphers,  see  Biham  and  Shamir  [138],  Pre- 
neel, Govaerts,  and  Vandewalle  [1005],  and  Rijmen  and  Preneel  [1050], 
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10.1  Introduction 

This  chapter  considers  techniques  designed  to  allow  one  party  (the  verifier)  to  gain  assur- 
ances that  the  identity  of  another  (the  claimant)  is  as  declared,  thereby  preventing  imper- 
sonation. The  most  common  technique  is  by  the  verifier  checking  the  correctness  of  a mes- 
sage (possibly  in  response  to  an  earlier  message)  which  demonstrates  that  the  claimant  is 
in  possession  of  a secret  associated  by  design  with  the  genuine  party.  Names  for  such  tech- 
niques include  identification,  entity  authentication,  and  (less  frequently)  identity  verifica- 
tion. Related  topics  addressed  elsewhere  include  message  authentication  (data  origin  au- 
thentication) by  symmetric  techniques  (Chapter  9)  and  digital  signatures  (Chapter  11),  and 
authenticated  key  establishment  (Chapter  12). 

A major  difference  between  entity  authentication  and  message  authentication  (as  pro- 
vided by  digital  signatures  or  MACs)  is  that  message  authentication  itself  provides  no  time- 
liness guarantees  with  respect  to  when  a message  was  created,  whereas  entity  authentica- 
tion involves  corroboration  of  a claimant’s  identity  through  actual  communications  with  an 
associated  verifier  during  execution  of  the  protocol  itself  (i.e.,  in  real-time,  while  the  ver- 
ifying entity  awaits).  Conversely,  entity  authentication  typically  involves  no  meaningful 
message  other  than  the  claim  of  being  a particular  entity,  whereas  message  authentication 
does.  Techniques  which  provide  both  entity  authentication  and  key  establishment  are  de- 
ferred to  Chapter  12;  in  some  cases,  key  establishment  is  essentially  message  authentication 
where  the  message  is  the  key. 
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Chapter  outline 

The  remainder  of  § 10. 1 provides  introductory  material.  § 10.2  discusses  identification  sch- 
emes involving  fixed  passwords  including  Personal  Identification  Numbers  (PINs),  and 
providing  so-called  weak  authentication;  one-time  password  schemes  are  also  considered. 
§10.3  considers  techniques  providing  so-called  strong  authentication,  including  challenge- 
response  protocols  based  on  both  symmetric  and  public-key  techniques.  It  includes  discus- 
sion of  time-variant  parameters  (TVPs),  which  may  be  used  in  entity  authentication  proto- 
cols and  to  provide  uniqueness  or  timeliness  guarantees  in  message  authentication.  §10.4 
examines  customized  identification  protocols  based  on  or  motivated  by  zero-knowledge 
techniques.  §10.5  considers  attacks  on  identification  protocols.  §10.6  provides  references 
and  further  chapter  notes. 


10.1.1  Identification  objectives  and  applications 

The  general  setting  for  an  identification  protocol  involves  a p rover  or  claimant  A and  a veri- 
fier B.  The  verifier  is  presented  with,  or  presumes  beforehand,  the  purported  identity  of  the 
claimant.  The  goal  is  to  corroborate  that  the  identity  of  the  claimant  is  indeed  A , i.e.,  to 
provide  entity  authentication. 

10.1  Definition  Entity  authentication  is  the  process  whereby  one  party  is  assured  (through  ac- 
quisition of  corroborative  evidence)  of  the  identity  of  a second  party  involved  in  a protocol, 
and  that  the  second  has  actually  participated  (i.e.,  is  active  at,  or  immediately  prior  to,  the 
time  the  evidence  is  acquired). 

10.2  Remark  (identification  terminology ) The  terms  identification  and  entity  authentication  are 
used  synonymously  throughout  this  book.  Distinction  is  made  between  weak,  strong,  and 
zero-knowledge  based  authentication.  Elsewhere  in  the  literature,  sometimes  identification 
implies  only  a claimed  or  stated  identity  whereas  entity  authentication  suggests  a corrobo- 
rated identity. 

(i)  Objectives  of  identification  protocols 

From  the  point  of  view  of  the  verifier,  the  outcome  of  an  entity  authentication  protocol  is 
either  acceptance  of  the  claimant’s  identity  as  authentic  (completion  with  acceptance),  or 
termination  without  acceptance  (rejection).  More  specifically,  the  objectives  of  an  identi- 
fication protocol  include  the  following. 

1 . In  the  case  of  honest  parties  A and  B,  A is  able  to  successfully  authenticate  itself  to 
B,  i.e.,  B will  complete  the  protocol  having  accepted  .4’s  identity. 

2.  ( transferability ) B cannot  reuse  an  identification  exchange  with  A so  as  to  success- 
fully impersonate  A to  a third  party  C. 

3.  ( impersonation ) The  probability  is  negligible  that  any  party  C distinct  from  A , car- 
rying out  the  protocol  and  playing  the  role  of  A,  can  cause  B to  complete  and  accept 
H’s  identity.  Here  negligible  typically  means  “is  so  small  that  it  is  not  of  practical 
significance”;  the  precise  definition  depends  on  the  application. 

4.  The  previous  points  remain  true  even  if:  a (polynomially)  large  number  of  previous 
authentications  between  A and  B have  been  observed;  the  adversary  C has  partici- 
pated in  previous  protocol  executions  with  either  or  both  A and  B\  and  multiple  in- 
stances of  the  protocol,  possibly  initiated  by  C,  may  be  run  simultaneously. 
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The  idea  of  zero-knowledge -based  protocols  is  that  protocol  executions  do  not  even  reveal 
any  partial  information  which  makes  C’ s task  any  easier  whatsoever. 

An  identification  ( or  entity  authentication)  protocol  is  a “real-time”  process  in  the  sense 
that  it  provides  an  assurance  that  the  party  being  authenticated  is  operational  at  the  time  of 
protocol  execution  - that  party  is  taking  part,  having  carried  out  some  action  since  the  start 
of  the  protocol  execution.  Identification  protocols  provide  assurances  only  at  the  particu- 
lar instant  in  time  of  successful  protocol  completion.  If  ongoing  assurances  are  required, 
additional  measures  may  be  necessary;  see  §10.5. 

(ii)  Basis  of  identification 

Entity  authentication  techniques  may  be  divided  into  three  main  categories,  depending  on 
which  of  the  following  the  security  is  based: 

1.  something  known.  Examples  include  standard  passwords  (sometimes  used  to  derive 
a symmetric  key).  Personal  Identification  Numbers  (PINs),  and  the  secret  or  private 
keys  whose  knowledge  is  demonstrated  in  challenge-response  protocols. 

2.  something  possessed.  This  is  typically  a physical  accessory,  resembling  a passport 
in  function.  Examples  include  magnetic-striped  cards,  chipcards  (plastic  cards  the 
size  of  credit  cards,  containing  an  embedded  microprocessor  or  integrated  circuit; 
also  called  smart  cards  or  1C  cards),  and  hand-held  customized  calculators  (password 
generators)  which  provide  time-variant  passwords. 

3.  something  inherent  (to  a human  individual).  This  category  includes  methods  which 
make  use  of  human  physical  characteristics  and  involuntary  actions  (biometrics), 
such  as  handwritten  signatures,  fingerprints,  voice,  retinal  patterns,  hand  geome- 
tries, and  dynamic  keyboarding  characteristics.  These  techniques  are  typically  non- 
cryptographic and  are  not  discussed  further  here. 

(iii)  Applications  of  identification  protocols 

One  of  the  primary  purposes  of  identification  is  to  facilitate  access  control  to  a resource, 
when  an  access  privilege  is  linked  to  a particular  identity  (e.g.,  local  or  remote  access  to 
computer  accounts;  withdrawals  from  automated  cash  dispensers;  communications  permis- 
sions through  a communications  port;  access  to  software  applications;  physical  entry  to  re- 
stricted areas  or  border  crossings).  A password  scheme  used  to  allow  access  to  a user’s 
computer  account  may  be  viewed  as  the  simplest  instance  of  an  access  control  matrix:  each 
resource  has  a list  of  identities  associated  with  it  (e.g.,  a computer  account  which  authorized 
entities  may  access),  and  successful  corroboration  of  an  identity  allows  access  to  the  autho- 
rized resources  as  listed  for  that  entity.  In  many  applications  (e.g.,  cellular  telephony)  the 
motivation  for  identification  is  to  allow  resource  usage  to  be  tracked  to  identified  entities, 
to  facilitate  appropriate  billing.  Identification  is  also  typically  an  inherent  requirement  in 
authenticated  key  establishment  protocols  (see  Chapter  12). 


10.1.2  Properties  of  identification  protocols 

Identification  protocols  may  have  many  properties.  Properties  of  interest  to  users  include: 

1.  reciprocity  of  identification.  Either  one  or  both  parties  may  corroborate  their  iden- 
tities to  the  other,  providing,  respectively,  unilateral  or  mutual  identification.  Some 
techniques,  such  as  fixed-password  schemes,  may  be  susceptible  to  an  entity  posing 
as  a verifier  simply  in  order  to  capture  a claimant’s  password. 

2.  computational  efficiency.  The  number  of  operations  required  to  execute  a protocol. 
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3.  communication  efficiency.  This  includes  the  number  of  passes  (message  exchanges) 
and  the  bandwidth  required  (total  number  of  bits  transmitted). 

More  subtle  properties  include: 

4.  real-time  involvement  of  a third  party  (if  any).  Examples  of  third  parties  include  an 
on-line  trusted  third  party  to  distribute  common  symmetric  keys  to  communicating 
entities  for  authentication  purposes;  and  an  on-line  (untrusted)  directory  service  for 
distributing  public-key  certificates,  supported  by  an  off-line  certification  authority 
(see  Chapter  13). 

5.  nature  of  trust  required  in  a third  party  (if  any).  Examples  include  trusting  a third 
party  to  correctly  authenticate  and  bind  an  entity’s  name  to  a public  key;  and  trusting 
a third  party  with  knowledge  of  an  entity’s  private  key. 

6.  nature  of  security  guarantees.  Examples  include  provable  security  and  zero-know- 
ledge  properties  (see  §10.4.1). 

7.  storage  of  secrets.  This  includes  the  location  and  method  used  (e.g.,  software  only, 
local  disks,  hardware  tokens,  etc.)  to  store  critical  keying  material. 

Relation  between  identification  and  signature  schemes 

Identification  schemes  are  closely  related  to,  but  simpler  than,  digital  signature  schemes, 
which  involve  a variable  message  and  typically  provide  a non-repudiation  feature  allowing 
disputes  to  be  resolved  by  judges  after  the  fact.  For  identification  schemes,  the  semantics 
of  the  message  are  essentially  fixed  - a claimed  identity  at  the  current  instant  in  time.  The 
claim  is  either  corroborated  or  rejected  immediately,  with  associated  privileges  or  access 
either  granted  or  denied  in  real  time.  Identifications  do  not  have  “lifetimes”  as  signatures 
do1  - disputes  need  not  typically  be  resolved  afterwards  regarding  a prior  identification, 
and  attacks  which  may  become  feasible  in  the  future  do  not  affect  the  validity  of  a prior 
identification.  In  some  cases,  identification  schemes  may  also  be  converted  to  signature 
schemes  using  a standard  technique  (see  Note  10.30). 


10.2  Passwords  (weak  authentication) 

Conventional  password  schemes  involve  time-invariant  passwords,  which  provide  so-call- 
ed weak  authentication.  The  basic  idea  is  as  follows.  A password , associated  with  each 
user  (entity),  is  typically  a string  of  6 to  10  or  more  characters  the  user  is  capable  of  com- 
mitting to  memory.  This  serves  as  a shared  secret  between  the  user  and  system.  (Conven- 
tional password  schemes  thus  fall  under  the  category  of  symmetric-key  techniques  provid- 
ing unilateral  authentication.)  To  gain  access  to  a system  resource  (e.g.,  computer  account, 
printer,  or  software  application),  the  user  enters  a (userid,  password)  pair,  and  explicitly  or 
implicitly  specifies  a resource;  here  userid  is  a claim  of  identity,  and  password  is  the  evi- 
dence supporting  the  claim.  The  system  checks  that  the  password  matches  corresponding 
data  it  holds  for  that  userid,  and  that  the  stated  identity  is  authorized  to  access  the  resource. 
Demonstration  of  knowledge  of  this  secret  (by  revealing  the  password  itself)  is  accepted  by 
the  system  as  corroboration  of  the  entity’s  identity. 

Various  password  schemes  are  distinguished  by  the  means  by  which  information  al- 
lowing password  verification  is  stored  within  the  system,  and  the  method  of  verification. 
The  collection  of  ideas  presented  in  the  following  sections  motivate  the  design  decisions 

1 Some  identification  techniques  involve,  as  a by-product,  the  granting  of  tickets  which  provide  time-limited 
access  to  specified  resources  (see  Chapter  13). 
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made  in  typical  password  schemes.  A subsequent  section  summarizes  the  standard  attacks 
these  designs  counteract.  Threats  which  must  be  guarded  against  include:  password  dis- 
closure (outside  of  the  system)  and  line  eavesdropping  (within  the  system),  both  of  which 
allow  subsequent  replay;  and  password  guessing,  including  dictionary  attacks. 


10.2.1  Fixed  password  schemes:  techniques 

(i)  Stored  password  files 

The  most  obvious  approach  is  for  the  system  to  store  user  passwords  cleartext  in  a system 
password  file,  which  is  both  read-  and  write-protected  (e.g.,  via  operating  system  access 
control  privileges).  Upon  password  entry  by  a user,  the  system  compares  the  entered  pass- 
word to  the  password  file  entry  for  the  corresponding  userid;  employing  no  secret  keys  or 
cryptographic  primitives  such  as  encryption,  this  is  classified  as  a non-cryptographic  tech- 
nique. A drawback  of  this  method  is  that  it  provides  no  protection  against  privileged  in- 
siders or  superusers  (special  userids  which  have  full  access  privileges  to  system  files  and 
resources).  Storage  of  the  password  file  on  backup  media  is  also  a security  concern,  since 
the  file  contains  cleartext  passwords. 

(ii)  “Encrypted”  password  files 

Rather  than  storing  a cleartext  user  password  in  a (read-  and  write -protected)  password  file, 
a one-way  function  of  each  user  password  is  stored  in  place  of  the  password  itself  (see  Fig- 
ure 10.1).  To  verify  a user-entered  password,  the  system  computes  the  one-way  function  of 
the  entered  password,  and  compares  this  to  the  stored  entry  for  the  stated  userid.  To  pre- 
clude attacks  suggested  in  the  preceding  paragraph,  the  password  file  need  now  only  be 
write-protected. 

10.3  Remark  (one-way  function  vs.  encryption)  For  the  purpose  of  protecting  password  files, 
the  use  of  a one-way  function  is  generally  preferable  to  reversible  encryption;  reasons  in- 
clude those  related  to  export  restrictions,  and  the  need  for  keying  material,  ffowever,  in  both 
cases,  for  historical  reasons,  the  resulting  values  are  typically  referred  to  as  “encrypted” 
passwords.  Protecting  passwords  by  either  method  before  transmission  over  public  com- 
munications lines  addresses  the  threat  of  compromise  of  the  password  itself,  but  alone  does 
not  preclude  disclosure  or  replay  of  the  transmission  (cf.  Protocol  10.6). 

(iii)  Password  rules 

Since  dictionary  attacks  (see  §10.2.2(iii))  are  successful  against  predictable  passwords, 
some  systems  impose  “password  rules”  to  discourage  or  prevent  users  from  using  “weak” 
passwords.  Typical  password  rules  include  a lower  bound  on  the  password  length  (e.g.,  8 or 
12  characters);  a requirement  for  each  password  to  contain  at  least  one  character  from  each 
of  a set  of  categories  (e.g.,  uppercase,  numeric,  non-alphanumeric);  or  checks  that  candi- 
date passwords  are  not  found  in  on-line  or  available  dictionaries,  and  are  not  composed  of 
account-related  information  such  as  userids  or  substrings  thereof. 

Knowing  which  rules  are  in  effect,  an  adversary  may  use  a modified  dictionary  attack 
strategy  taking  into  account  the  rules,  and  targeting  the  weakest  form  of  passwords  which 
nonetheless  satisfy  the  rules.  The  objective  of  password  rules  is  to  increase  the  entropy 
(rather  than  just  the  length)  of  user  passwords  beyond  the  reach  of  dictionary  and  exhaus- 
tive search  attacks.  Entropy  here  refers  to  the  uncertainty  in  a password  (cf.  §2.2.1);  if  all 
passwords  are  equally  probable,  then  the  entropy  is  maximal  and  equals  the  base-2  loga- 
rithm of  the  number  of  possible  passwords. 


Handbook  of  Applied  Cryptography  by  A.  Menezes,  P.  van  Oorschot  and  S.  Vanstone. 


390 


Ch.  1 0 Identification  and  Entity  Authentication 


Claimant  A 


Verifier  (system)  B 


Password  table 


password,  A 


A 

A(passworcU) 

password 


fr(password.4) 


yes 


ACCEPT 


no 


/i(password) 

REJECT 

Figure  10.1:  Use  of  one-way  function  for  password-checking. 


Another  procedural  technique  intended  to  improve  password  security  is  password  ag- 
ing. A time  period  is  defined  limiting  the  lifetime  of  each  particular  password  (e.g.,  30  or 
90  days).  This  requires  that  passwords  be  changed  periodically. 

(iv)  Slowing  down  the  password  mapping 

To  slow  down  attacks  which  involve  testing  a large  number  of  trial  passwords  (see  § 10.2.2), 
the  password  verification  function  (e.g.,  one-way  function)  may  be  made  more  computa- 
tionally intensive,  for  example,  by  iterating  a simpler  function  t > 1 times,  with  the  output 
of  iteration  i used  as  the  input  for  iteration  i + 1.  The  total  number  of  iterations  must  be 
restricted  so  as  not  to  impose  a noticeable  or  unreasonable  delay  for  legitimate  users.  Also, 
the  iterated  function  should  be  such  that  the  iterated  mapping  does  not  result  in  a final  range 
space  whose  entropy  is  significantly  decimated. 

(v)  Salting  passwords 

To  make  dictionary  attacks  less  effective,  each  password,  upon  initial  entry,  may  be  aug- 
mented with  a f-bit  random  string  called  a salt  (it  alters  the  “flavor”  of  the  password;  cf. 
§10.2.3)  before  applying  the  one-way  function.  Both  the  hashed  password  and  the  salt  are 
recorded  in  the  password  file.  When  the  user  subsequently  enters  a password,  the  system 
looks  up  the  salt,  and  applies  the  one-way  function  to  the  entered  password,  as  altered  or 
augmented  by  the  salt.  The  difficulty  of  exhaustive  search  on  any  particular  user’s  pass- 
word is  unchanged  by  salting  (since  the  salt  is  given  in  cleartext  in  the  password  file);  how- 
ever, salting  increases  the  complexity  of  a dictionary  attack  against  a large  set  of  passwords 
simultaneously,  by  requiring  the  dictionary  to  contain  2*  variations  of  each  trial  password, 
implying  a larger  memory  requirement  for  storing  an  encrypted  dictionary,  and  correspond- 
ingly more  time  for  its  preparation.  Note  that  with  salting,  two  users  who  choose  the  same 
password  have  different  entries  in  the  system  password  file.  In  some  systems,  it  may  be 
appropriate  to  use  an  entity’s  userid  itself  as  salt. 

(vi)  Passphrases 

To  allow  greater  entropy  without  stepping  beyond  the  memory  capacity  of  human  users, 
passwords  may  be  extended  to  passphrases ; in  this  case,  the  user  types  in  a phrase  or  sen- 
tence rather  than  a short  “word”.  The  passphrase  is  hashed  down  to  a fixed-size  value,  which 
plays  the  same  role  as  a password;  here,  it  is  important  that  the  passphrase  is  not  simply  trun- 
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cated  by  the  system,  as  passwords  are  in  some  systems.  The  idea  is  that  users  can  remember 
phrases  easier  than  random  character  sequences.  If  passwords  resemble  English  text,  then 
since  each  character  contains  only  about  1.5  bits  of  entropy  (Fact  7.67),  a passphrase  pro- 
vides greater  security  through  increased  entropy  than  a short  password.  One  drawback  is 
the  additional  typing  requirement. 


10.2.2  Fixed  password  schemes:  attacks 

(i)  Replay  of  fixed  passwords 

A weakness  of  schemes  using  fixed,  reusable  passwords  (i.e.,  the  basic  scheme  of  §10.2), 
is  the  possibility  that  an  adversary  learns  a user’s  password  by  observing  it  as  it  is  typed 
in  (or  from  where  it  may  be  written  down).  A second  security  concern  is  that  user-entered 
passwords  (or  one-way  hashes  thereof)  are  transmitted  in  cleartext  over  the  communications 
line  between  the  user  and  the  system,  and  are  also  available  in  cleartext  temporarily  during 
system  verification.  An  eavesdropping  adversary  may  record  this  data,  allowing  subsequent 
impersonation. 

Fixed  password  schemes  are  thus  of  use  when  the  password  is  transmitted  over  trusted 
communications  lines  safe  from  monitoring,  but  are  not  suitable  in  the  case  that  passwords 
are  transmitted  over  open  communications  networks.  For  example,  in  Figure  10.1,  the 
claimant  A may  be  a user  logging  in  from  home  over  a telephone  modem,  to  a remote  office 
site  B two  (or  two  thousand)  miles  away;  the  cleartext  password  might  then  travel  over  an 
unsecured  telephone  network  (including  possibly  a wireless  link),  subject  to  eavesdropping. 

In  the  case  that  remote  identity  verification  is  used  for  access  to  a local  resource,  e.g., 
an  automated  cash  dispenser  with  on-line  identity  verification,  the  system  response  (ac- 
cept/reject) must  be  protected  in  addition  to  the  submitted  password,  and  must  include  vari- 
ability to  prevent  trivial  replay  of  a time-invariant  accept  response. 

(ii)  Exhaustive  password  search 

A very  naive  attack  involves  an  adversary  simply  (randomly  or  systematically)  trying  pass- 
words, one  at  a time,  on  the  actual  verifier,  in  hope  that  the  correct  password  is  found.  This 
may  be  countered  by  ensuring  passwords  are  chosen  from  a sufficiently  large  space,  limit- 
ing the  number  of  invalid  (on-line)  attempts  allowed  within  fixed  time  periods,  and  slowing 
down  the  password  mapping  or  login-process  itself  as  in  § 10.2. 1 (iv).  Off-line  attacks,  in- 
volving a (typically  large)  computation  which  does  not  require  interacting  with  the  actual 
verifier  until  a final  stage,  are  of  greater  concern;  these  are  now  considered. 

Given  a password  file  containing  one-way  hashes  of  user  passwords,  an  adversary  may 
attempt  to  defeat  the  system  by  testing  passwords  one  at  a time,  and  comparing  the  one-way 
hash  of  each  to  passwords  in  the  encrypted  password  file  (see  §10.2.1(ii)).  This  is  theoreti- 
cally possible  since  both  the  one-way  mapping  and  the  (guessed)  plaintext  are  known.  (This 
could  be  precluded  by  keeping  any  or  all  of  the  details  of  the  one-way  mapping  or  the  pass- 
word file  itself  secret,  but  it  is  not  considered  prudent  to  base  the  security  of  the  system  on 
the  assumption  that  such  details  remain  secret  forever.)  The  feasibility  of  the  attack  depends 
on  the  number  of  passwords  that  need  be  checked  before  a match  is  expected  (which  itself 
depends  on  the  number  of  possible  passwords),  and  the  time  required  to  test  each  (see  Ex- 
ample 10.4,  Table  10. 1,  and  Table  10.2).  The  latter  depends  on  the  password  mapping  used, 
its  implementation,  the  instruction  execution  time  of  the  host  processor,  and  the  number  of 
processors  available  (note  exhaustive  search  is  parallelizable).  The  time  required  to  actu- 
ally compare  the  image  of  each  trial  password  to  all  passwords  in  a password  file  is  typically 
negligible. 
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10.4  Example  (password  entropy)  Suppose  passwords  consist  of  strings  of  7-bit  ASCII  char- 
acters. Each  has  a numeric  value  in  the  range  0-127.  (When  8-bit  characters  are  used,  val- 
ues 128-255  compose  the  extended  character  set,  generally  inaccessible  from  standard  key- 
boards.) ASCII  codes  0-31  are  reserved  for  control  characters;  32  is  a space  character;  33- 
126  are  keyboard-accessible  printable  characters;  and  127  is  a special  character.  Table  10.1 
gives  the  number  of  distinct  n-character  passwords  composed  of  typical  combinations  of 
characters,  indicating  an  upper  bound  on  the  security  of  such  password  spaces.  □ 


— >•  c 
4,  n 

26 

(lowercase) 

36  (lowercase 
alphanumeric) 

62  (mixed  case 
alphanumeric) 

95  (keyboard 
characters) 

5 

23.5 

25.9 

29.8 

32.9 

6 

28.2 

31.0 

35.7 

39.4 

7 

32.9 

36.2 

41.7 

46.0 

8 

37.6 

41.4 

47.6 

52.6 

9 

42.3 

46.5 

53.6 

59.1 

10 

47.0 

51.7 

59.5 

65.7 

Table  10.1 : Bitsize  of  password  space  for  various  character  combinations.  The  number  ofn- 
character  passwords,  given  c choices  per  character,  is  cn.  The  table  gives  the  base-2  logarithm 
of  this  number  of  possible  passwords. 


— >•  c 
4,  n 

26 

(lowercase) 

36  (lowercase 
alphanumeric) 

62  (mixed  case 
alphanumeric) 

95  (keyboard 
characters) 

5 

0.67  hr 

3.4  hr 

51  hr 

430  hr 

6 

17  hr 

120  hr 

130  dy 

4.7  yr 

7 

19  dy 

180  dy 

22  yr 

440  yr 

8 

1.3  yr 

18  yr 

1400  yr 

42000  yr 

9 

34  yr 

640  yr 

86000  yr 

4.0  x 106  yr 

10 

890  yr 

23000  yr 

5.3  x 106  yr 

3.8  x 108  yr 

Table  1 0.2:  Time  required  to  search  entire  password  space.  The  table  gives  the  time  T ( in  hours, 
days,  or  years)  required  to  search  or  pre-compute  over  the  entire  specified  spaces  using  a single 
processor  (cf.  Table  10.1 ).  T = c"  • t ■ y,  where  t is  the  number  of  times  the  password  mapping 
is  iterated,  and  y the  time  per  iteration,  for  t = 25,  y = 1 / (125  000)  sec.  (This  approximates 
the  UNIX  crypt  command  on  a high-end  PC  performing  DES  at  1.0  Mbytes/s  - see  §10.2.3.) 


(iii)  Password-guessing  and  dictionary  attacks 

To  improve  upon  the  expected  probability  of  success  of  an  exhaustive  search,  rather  than 
searching  through  the  space  of  all  possible  passwords,  an  adversary  may  search  the  space  in 
order  of  decreasing  (expected)  probability.  While  ideally  arbitrary  strings  of  n characters 
would  be  equiprobable  as  user-selected  passwords,  most  (unrestricted)  users  select  pass- 
words from  a small  subset  of  the  full  password  space  (e.g.,  short  passwords;  dictionary 
words;  proper  names;  lowercase  strings).  Such  weak  passwords  with  low  entropy  are  easily 
guessed;  indeed,  studies  indicate  that  a large  fraction  of  user-selected  passwords  are  found 
in  typical  (intermediate)  dictionaries  of  only  150  000  words,  while  even  a large  dictionary 
of  250  000  words  represents  only  a tiny  fraction  of  all  possible  n-character  passwords  (see 
Table  10.1). 

Passwords  found  in  any  on-line  or  available  list  of  words  may  be  uncovered  by  an  ad- 
versary who  tries  all  words  in  this  list,  using  a so-called  dictionary  attack.  Aside  from  tradi- 
tional dictionaries  as  noted  above,  on-line  dictionaries  of  words  from  foreign  languages,  or 
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on  specialized  topics  such  as  music,  film,  etc.  are  available.  For  efficiency  in  repeated  use 
by  an  adversary,  an  “encrypted”  (hashed)  list  of  dictionary  or  high-probability  passwords 
may  be  created  and  stored  on  disk  or  tape;  password  images  from  system  password  files 
may  then  be  collected,  ordered  (using  a sorting  algorithm  or  conventional  hashing),  and 
then  compared  to  entries  in  the  encrypted  dictionary.  Dictionary-style  attacks  are  not  gen- 
erally successful  at  finding  a particular  user’s  password,  but  find  many  passwords  in  most 
systems. 


10.2.3  Case  study  - UNIX  passwords 

The  UNIX2  operating  system  provides  a widely  known,  historically  important  example  of  a 
fixed  password  system,  implementing  many  of  the  ideas  of  §10.2.1.  A UNIX  password  file 
contains  a one-way  function  of  user  passwords  computed  as  follows:  each  user  password 
serves  as  the  key  to  encrypt  a known  plaintext  (64  zero-bits).  This  yields  a one-way  function 
of  the  key,  since  only  the  user  (aside  from  the  system,  temporarily  during  password  veri- 
fication) knows  the  password.  For  the  encryption  algorithm,  a minor  modification  of  DES 
(§7.4)  is  used,  as  described  below;  variations  may  appear  in  products  outside  of  the  USA. 
The  technique  described  relies  on  the  conjectured  property  that  DES  is  resistant  to  known- 
plaintext  attacks  - given  cleartext  and  the  corresponding  ciphertext,  it  remains  difficult  to 
find  the  key. 

The  specific  technique  makes  repeated  use  of  DES,  iterating  the  encipherment  t = 25 
times  (see  Figure  10.2).  In  detail,  a user  password  is  truncated  to  its  first  8 ASCII  char- 
acters. Each  of  these  provides  7 bits  for  a 56-bit  DES  key  (padded  with  0-bits  if  less  than 
8 characters).  The  key  is  used  to  DES-encrypt  the  64-bit  constant  0,  with  the  output  fed 
back  as  input  t times  iteratively.  The  64-bit  result  is  repacked  into  1 1 printable  characters 
(a  64-bit  output  and  12  salt  bits  yields  76  bits;  1 1 ASCII  characters  allow  77).  In  addition, 
a non-standard  method  of  password  salting  is  used,  intended  to  simultaneously  complicate 
dictionary  attacks  and  preclude  use  of  off-the-shelf  DES  hardware  for  attacks: 

1.  password  salting.  UNIX  password  salting  associates  a 12-bit  “random”  salt  (12  bits 
taken  from  the  system  clock  at  time  of  password  creation)  with  each  user-selected 
password.  The  12  bits  are  used  to  alter  the  standard  expansion  function  E of  the  DES 
mapping  (see  §7.4),  providing  one  of  4096  variations.  (The  expansion  E creates  a 
48-bit  block;  immediately  thereafter,  the  salt  bits  collectively  determine  one  of  4096 
permutations.  Each  bit  is  associated  with  a pre-determined  pair  from  the  48-bit  block, 
e.g.,  bit  1 withblockbits  1 and  25,  bit  2 with  block  bits  2 and  26,  etc.  If  the  salt  bit  is  1, 
the  block  bits  are  swapped,  and  otherwise  they  are  not.)  Both  the  hashed  password 
and  salt  are  recorded  in  the  system  password  file.  Security  of  any  particular  user’s 
password  is  unchanged  by  salting,  but  a dictionary  attack  now  requires  212  = 4096 
variations  of  each  trial  password. 

2.  preventing  use  of  off-the-shelf  DES  chips.  Because  the  DES  expansion  permutation 
E is  dependent  on  the  salt,  standard  DES  chips  can  no  longer  be  used  to  implement 
the  UNIX  password  algorithm.  An  adversary  wishing  to  use  hardware  to  speed  up  an 
attack  must  build  customized  hardware  rather  than  use  commercially  available  chips. 
This  may  deter  adversaries  with  modest  resources. 

The  value  stored  for  a given  userid  in  the  write -protected  password  file  / et  c /pas  s wd 
is  thus  the  iterated  encryption  of  0 under  that  user’s  password,  using  the  salted  modification 
of  DES.  The  constant  0 here  could  be  replaced  by  other  values,  but  typically  is  not.  The 
overall  algorithm  is  called  the  UNIX  crypt  password  algorithm. 

2UNIX  is  a trademark  of  Bell  Laboratories. 
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12 
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“encrypted”  password 

/etc/passwd 


Figure  10.2:  UNIX  crypt  password  mapping.  DES*  indicates  DES  with  the  expansion  mapping  E 
modified  by  a 12-bit  salt. 


10.5  Remark  ( performance  advances ) While  the  UNIX  crypt  mapping  with  t — 25  iterations 
provided  a reasonable  measure  of  protection  against  exhaustive  search  when  introduced  in 
the  1970s,  for  equivalent  security  in  a system  designed  today  a more  computationally  in- 
tensive mapping  would  be  provided,  due  to  performance  advances  in  both  hardware  and 
software. 


10.2.4  PINs  and  passkeys 

(i)  PINs 

Personal  identification  numbers  (PINs)  fall  under  the  category  of  fixed  (time-invariant) 
passwords.  They  are  most  often  used  in  conjunction  with  “something  possessed”,  typically 
a physical  token  such  as  a plastic  banking  card  with  a magnetic  stripe,  or  a chipcard.  To 
prove  one’s  identity  as  the  authorized  user  of  the  token,  and  gain  access  to  the  privileges 
associated  therewith,  entry  of  the  correct  PIN  is  required  when  the  token  is  used.  This  pro- 
vides a second  level  of  security  if  the  token  is  lost  or  stolen.  PINs  may  also  serve  as  the 
second  level  of  security  for  entry  to  buildings  which  have  an  independent  first  level  of  se- 
curity (e.g.,  a security  guard  or  video  camera). 

For  user  convenience  and  historical  reasons,  PINs  are  typically  short  (relative  to  fixed 
password  schemes)  and  numeric,  e.g.,  4 to  8 digits.  To  prevent  exhaustive  search  through 
such  a small  key  space  (e.g.,  10  000  values  for  a 4-digit  numeric  PIN),  additional  procedural 
constraints  are  necessary.  For  example,  some  automated  cash  dispenser  machines  accessed 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§70.2  Passwords  (weak  authentication) 


395 


by  banking  cards  confiscate  a card  if  three  incorrect  PINs  are  entered  successively;  for  oth- 
ers, incorrect  entry  of  a number  of  successive  PINs  may  cause  the  card  to  be  “locked”  or 
deactivated,  thereafter  requiring  a longer  PIN  (e.g.,  8 digits)  for  reactivation  following  such 
suspicious  circumstances. 

In  an  on-line  system  using  PINs  or  reusable  passwords,  a claimed  identity  accompanied 
by  a user-entered  PIN  may  be  verified  by  comparison  to  the  PIN  stored  for  that  identity  in 
a system  database.  An  alternative  is  to  use  the  PIN  as  a key  for  a MAC  (see  Chapter  9). 

In  an  off-line  system  without  access  to  a central  database,  information  facilitating  PIN 
verification  must  be  stored  on  the  token  itself.  If  the  PIN  need  not  be  user-selected,  this  may 
be  done  by  defining  the  PIN  to  be  a function  of  a secret  key  and  the  identity  associated  with 
the  token;  the  PIN  is  then  verifiable  by  any  remote  system  knowing  this  master  key. 

In  an  off-line  system,  it  may  also  be  desirable  to  allow  the  PIN  to  be  user-selectable,  to 
facilitate  PIN  memorization  by  users . In  this  case,  the  PIN  may  be  encrypted  under  a master 
key  and  stored  on  the  token,  with  the  master  key  known  to  all  off-line  terminals  that  need 
to  be  capable  of  verifying  the  token.  A preferable  design  is  to  store  a one-way  function  of 
the  PIN,  user  identity,  and  master  key  on  the  token. 

(ii)  Two-stage  authentication  and  password-derived  keys 

Human  users  have  difficulty  remembering  secret  keys  which  have  sufficient  entropy  to  pro- 
vide adequate  security.  Two  techniques  which  address  this  issue  are  now  described. 

When  tokens  are  used  with  off-line  PIN  verification,  a common  technique  is  for  the 
PIN  to  serve  to  verify  the  user  to  the  token,  while  the  token  contains  additional  independent 
information  allowing  the  token  to  authenticate  itself  to  the  system  (as  a valid  token  repre- 
senting a legitimate  user).  The  user  is  thereby  indirectly  authenticated  to  the  system  by  a 
two-stage  process.  This  requires  the  user  have  possession  of  the  token  but  need  remember 
only  a short  PIN,  while  a longer  key  (containing  adequate  entropy)  provides  cryptographic 
security  for  authentication  over  an  unsecured  link. 

A second  technique  is  for  a user  password  to  be  mapped  by  a one-way  hash  function 
into  a cryptographic  key  (e.g.,  a 56-bit  DES  key).  Such  password-derived  keys  are  called 
passkeys.  The  passkey  is  then  used  to  secure  a communications  link  between  the  user  and 
a system  which  also  knows  the  user  password.  It  should  be  ensured  that  the  entropy  of  the 
user’s  password  is  sufficiently  large  that  exhaustive  search  of  the  password  space  is  not  more 
efficient  than  exhaustive  search  of  the  passkey  space  (i.e.,  guessing  passwords  is  not  easier 
than  guessing  56-bit  DES  keys);  see  Table  10.1  for  guidance. 

An  alternative  to  having  passkeys  remain  fixed  until  the  password  is  changed  is  to  keep 
a running  sequence  number  on  the  system  side  along  with  each  user’s  password,  for  use  as 
a time-variant  salt  communicated  to  the  user  in  the  clear  and  incremented  after  each  use.  A 
fixed  per-user  salt  could  also  be  used  in  addition  to  a running  sequence  number. 

Passkeys  should  be  viewed  as  long-term  keys,  with  use  restricted  to  authentication  and 
key  management  (e.g.,  rather  than  also  for  bulk  encryption  of  user  data).  A disadvantage  of 
using  password-derived  keys  is  that  storing  each  user’s  password  within  the  system  requires 
some  mechanism  to  protect  the  confidentiality  of  the  stored  passwords. 


10.2.5  One-time  passwords  (towards  strong  authentication) 

A natural  progression  from  fixed  password  schemes  to  challenge-response  identification 
protocols  may  be  observed  by  considering  one-time  password  schemes.  As  was  noted  in 
§10.2.2,  a major  security  concern  of  fixed  password  schemes  is  eavesdropping  and  subse- 
quent replay  of  the  password.  A partial  solution  is  one-time  passwords : each  password  is 
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used  only  once.  Such  schemes  are  safe  from  passive  adversaries  who  eavesdrop  and  later 
attempt  impersonation.  Variations  include: 

1 . shared  lists  of  one-time  passwords.  The  user  and  the  system  use  a sequence  or  set  of  t 
secret  passwords,  (each  valid  for  a single  authentication),  distributed  as  a pre-shared 
list.  A drawback  is  maintenance  of  the  shared  list.  If  the  list  is  not  used  sequen- 
tially, the  system  may  check  the  entered  password  against  all  remaining  unused  pass- 
words. A variation  involves  use  of  a challenge-response  table , whereby  the  user  and 
the  system  share  a table  of  matching  challenge-response  pairs,  ideally  with  each  pair 
valid  at  most  once;  this  non-cryptographic  technique  differs  from  the  cryptographic 
challenge-response  of  §10.3. 

2.  sequentially  updated  one-time  passwords.  Initially  only  a single  secret  password  is 
shared.  During  authentication  using  password  i,  the  user  creates  and  transmits  to  the 
system  a new  password  (password  i + 1)  encrypted  under  a key  derived  from  pass- 
word i.  This  method  becomes  difficult  if  communication  failures  occur. 

3.  one-time  password  sequences  based  on  a one-way  function.  Lamport’s  one-time 
password  scheme  is  described  below.  This  method  is  more  efficient  (with  respect  to 
bandwidth)  than  sequentially  updated  one-time  passwords,  and  may  be  viewed  as  a 
challenge-response  protocol  where  the  challenge  is  implicitly  defined  by  the  current 
position  within  the  password  sequence. 

One-time  passwords  based  on  one-way  functions  (Lamport’s  scheme) 

In  Lamport’s  one-time  password  scheme,  the  user  begins  with  a secret  w.  A one-way  func- 
tion (OWF)  H is  used  to  define  the  password  sequence:  w,  H(w ),  H(H(w)),  . . . , 

The  password  for  the  ith  identification  session,  1 < i < f , is  defined  to  be  w.j  = Ht^z(w). 


10.6  Protocol  Lamport’s  OWF-based  one-time  passwords 

SUMMARY:  A identifies  itself  to  B using  one-time  passwords  from  a sequence. 

1.  One-time  setup. 

(a)  User  A begins  with  a secret  w.  Let  H be  a one-way  function. 

(b)  A constant  t is  fixed  (e.g.,  t = 100  or  1000),  defining  the  number  of  identifica- 
tions to  be  allowed.  (The  system  is  thereafter  restarted  with  a new  w,  to  avoid 
replay  attacks.) 

(c)  A transfers  (the  initial  shared  secret)  wq  = Hl(w),  in  a manner  guaranteeing 
its  authenticity,  to  the  system  B.  B initializes  its  counter  for  A to  = 1. 

2.  Protocol  messages.  The  ith  identification,  1 < i < t,  proceeds  as  follows: 

A B : A,  i,  Wi  (=  H^^w))  (1) 

Here  A — > B:  X denotes  A sending  the  message  X to  B. 

3.  Protocol  actions.  To  identify  itself  for  session  i,  A does  the  following. 

(a)  A’s  equipment  computes  w.j  = Ht^l{w)  (easily  done  either  from  w itself,  or 
from  an  appropriate  intermediate  value  saved  during  the  computation  of  H * (w) 
initially),  and  transmits  (1)  to  B. 

(b)  B checks  that  i = ia,  and  that  the  received  password  Wi  satisfies:  H(wi ) = 

i.  If  both  checks  succeed,  B accepts  the  password,  sets  Li  ^ iy\  + 1,  and 
saves  Wi  for  the  next  session  verification. 
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10.7  Note  (pre-play  attack)  Protocol  10.6  and  similar  one-time  password  schemes  including 
that  of  Note  10.8  remain  vulnerable  to  an  active  adversary  who  intercepts  and  traps  (or  im- 
personates the  system  in  order  to  extract)  an  as-yet  unused  one-time  password,  for  the  pur- 
pose of  subsequent  impersonation.  To  prevent  this,  a password  should  be  revealed  only  to 
a party  which  itself  is  known  to  be  authentic.  Challenge -response  techniques  (see  §10.3) 
address  this  threat. 

10.8  Note  ( alternative  one-time  password  scheme)  The  following  one-time -password  alterna- 
tive to  Protocol  10.6  is  suitable  if  storing  actual  passwords  on  the  system  side  is  acceptable 
(cf.  Figure  10.1;  compare  also  to  §10.3.2(iii)).  The  claimant  A has  a shared  password  P 
with  the  system  verifier  B,  to  which  it  sends  the  data  pair:  (r,  H (r,  P)).  The  verifier  com- 
putes the  hash  of  the  received  value  r and  its  local  copy  of  P,  and  declares  acceptance  if 
this  matches  the  received  hash  value.  To  avoid  replay,  r should  be  a sequence  number,  time- 
stamp,  or  other  parameter  which  can  be  easily  guaranteed  to  be  accepted  only  once. 


10.3  Challenge-response  identification  (strong 
authentication) 

The  idea  of  cryptographic  challenge-response  protocols  is  that  one  entity  (the  claimant) 
“proves”  its  identity  to  another  entity  (the  verifier)  by  demonstrating  knowledge  of  a secret 
known  to  be  associated  with  that  entity,  without  revealing  the  secret  itself  to  the  verifier  dur- 
ing the  protocol.3  This  is  done  by  providing  a response  to  a time-variant  challenge,  where 
the  response  depends  on  both  the  entity’s  secret  and  the  challenge.  The  challenge  is  typi- 
cally a number  chosen  by  one  entity  (randomly  and  secretly)  at  the  outset  of  the  protocol. 
If  the  communications  line  is  monitored,  the  response  from  one  execution  of  the  identifi- 
cation protocol  should  not  provide  an  adversary  with  useful  information  for  a subsequent 
identification,  as  subsequent  challenges  will  differ. 

Before  considering  challenge-response  identification  protocols  based  on  symmetric- 
key  techniques  (§10.3.2),  public-key  techniques  (§10.3.3),  and  zero-knowledge  concepts 
(§10.4),  background  on  time-variant  parameters  is  first  provided. 


10.3.1  Background  on  time-variant  parameters 

Time-variant  parameters  may  be  used  in  identification  protocols  to  counteract  replay  and 
interleaving  attacks  (see  § 10.5),  to  provide  uniqueness  or  timeliness  guarantees,  and  to  pre- 
vent certain  chosen-text  attacks.  They  may  similarly  be  used  in  authenticated  key  estab- 
lishment protocols  (Chapter  12),  and  to  provide  uniqueness  guarantees  in  conjunction  with 
message  authentication  (Chapter  9). 

Time-variant  parameters  which  serve  to  distinguish  one  protocol  instance  from  another 
are  sometimes  called  nonces,  unique  numbers,  or  non-repeating  values',  definitions  of  these 
terms  have  traditionally  been  loose,  as  the  specific  properties  required  depend  on  the  actual 
usage  and  protocol. 

10.9  Definition  A nonce  is  a value  used  no  more  than  once  for  the  same  purpose.  It  typically 
serves  to  prevent  (undetectable)  replay. 

3 In  some  mechanisms,  the  secret  is  known  to  the  verifier,  and  is  used  to  verify  the  response;  in  others,  the  secret 
need  not  actually  be  known  by  the  verifier. 
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The  term  nonce  is  most  often  used  to  refer  to  a “random”  number  in  a challenge-response 
protocol,  but  the  required  randomness  properties  vary.  Three  main  classes  of  time-variant 
parameters  are  discussed  in  turn  below:  random  numbers,  sequence  numbers,  and  time- 
stamps.  Often,  to  ensure  protocol  security,  the  integrity  of  such  parameters  must  be  guar- 
anteed (e.g.,  by  cryptographically  binding  them  with  other  data  in  a challenge-response 
sequence).  This  is  particularly  true  of  protocols  in  which  the  only  requirement  of  a time- 
variant  parameter  is  uniqueness,  e.g.,  as  provided  by  a never-repeated  sequential  counter.4 

Following  are  some  miscellaneous  points  about  time-variant  parameters. 

1.  Verifiable  timeliness  may  be  provided  through  use  of  random  numbers  in  challenge- 
response  mechanisms,  timestamps  in  conjunction  with  distributed  timeclocks,  or  se- 
quence numbers  in  conjunction  with  the  maintenance  of  pairwise  (claimant,  verifier) 
state  information. 

2.  To  provide  timeliness  or  uniqueness  guarantees,  the  verifier  in  the  protocol  controls 
the  time-variant  parameter,  either  directly  (through  choice  of  a random  number)  or 
indirectly  (through  information  maintained  regarding  a shared  sequence,  or  logically 
through  a common  time  clock). 

3.  To  uniquely  identify  a message  or  sequence  of  messages  (protocol  instance),  nonces 
drawn  from  a monotonically  increasing  sequence  may  be  used  (e.g.,  sequence  or  se- 
rial numbers,  and  timestamps,  if  guaranteed  to  be  increasing  and  unique),  or  random 
numbers  of  sufficient  size.  Uniqueness  is  often  required  only  within  a given  key  life- 
time or  time  window. 

4.  Combinations  of  time-variant  parameters  may  be  used,  e.g.,  random  numbers  con- 
catenated to  timestamps  or  sequence  numbers.  This  may  guarantee  that  a pseudoran- 
dom number  is  not  duplicated. 

(i)  Random  numbers 

Random  numbers  may  be  used  in  challenge-response  mechanisms,  to  provide  uniqueness 
and  timeliness  assurances,  and  to  preclude  certain  replay  and  interleaving  attacks  (see  §10.5, 
including  Remark  10.42).  Random  numbers  may  also  serve  to  provide  unpredictability,  for 
example,  to  preclude  chosen-text  attacks. 

The  term  random  numbers , when  used  in  the  context  of  identification  and  authentica- 
tion protocols,  includes  pseudorandom  numbers  which  are  unpredictable  to  an  adversary 
(see  Remark  10.11);  this  differs  from  randomness  in  the  traditional  statistical  sense.  In  pro- 
tocol descriptions,  “choose  a random  number”  is  usually  intended  to  mean  “pick  a number 
with  uniform  distribution  from  a specified  sample  space”  or  “select  from  a uniform  distri- 
bution". 

Random  numbers  are  used  in  challenge-response  protocols  as  follows.  One  entity  in- 
cludes a (new)  random  number  in  an  outgoing  message.  An  incoming  message  subsequen- 
tly received  (e.g.,  the  next  protocol  message  of  the  same  protocol  instance),  whose  construc- 
tion required  knowledge  of  this  nonce  and  to  which  this  nonce  is  inseparably  bound,  is  then 
deemed  to  be  fresh  (Remark  10.10)  based  on  the  reasoning  that  the  random  number  links 
the  two  messages.  The  non-tamperable  binding  is  required  to  prevent  appending  a nonce 
to  an  old  message. 

Random  numbers  used  in  this  manner  serve  to  fix  a relative  point  in  time  for  the  parties 
involved,  analogous  to  a shared  timeclock.  The  maximum  allowable  time  between  protocol 
messages  is  typically  constrained  by  a timeout  period,  enforced  using  local,  independent 
countdown  timers. 

4 Such  predictable  parameters  differ  from  sequence  numbers  in  that  they  might  not  be  bound  to  any  stored  state. 
Without  appropriate  cryptographic  binding,  a potential  concern  then  is  a pre-play  attack  wherein  an  adversary 
obtains  the  response  before  the  time-variant  parameter  is  legitimately  sent  (see  Note  10.7). 
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10.10  Remark  (freshness ) In  the  context  of  challenge-response  protocols,  fresh  typically  means 
recent,  in  the  sense  of  having  originated  subsequent  to  the  beginning  of  the  current  protocol 
instance.  Note  that  such  freshness  alone  does  not  rule  out  interleaving  attacks  using  parallel 
sessions  (see  §10.5). 

10.11  Remark  (birthday  repetitions  in  random  numbers ) In  generating  pseudorandom  numbers 
for  use  as  time-variant  parameters,  it  suffices  if  the  probability  of  a repeated  number  is  ac- 
ceptably low  and  if  numbers  are  not  intentionally  reused.  This  may  be  achieved  by  selecting 
the  random  value  from  a sufficiently  large  sample  space,  taking  into  account  coincidences 
arising  from  the  birthday  paradox.  The  latter  may  be  addressed  by  either  using  a larger  sam- 
ple space,  or  by  using  a generation  process  guaranteed  to  avoid  repetition  (e.g.,  a bijection), 
such  as  using  the  counter  or  OFB  mode  of  a block  cipher  (§7.2.2). 

10.12  Remark  (disadvantages  of  random  numbers)  Many  protocols  involving  random  numbers 
require  the  generation  of  cryptographically  secure  (i.e.,  unpredictable)  random  numbers. 
If  pseudorandom  number  generators  are  used,  an  initial  seed  with  sufficient  entropy  is  re- 
quired. When  random  numbers  are  used  in  challenge-response  mechanisms  in  place  of 
timestamps,  typically  the  protocol  involves  one  additional  message,  and  the  challenger  must 
temporarily  maintain  state  information,  but  only  until  the  response  is  verified. 

(ii)  Sequence  numbers 

A sequence  number  (serial  number,  or  counter  value)  serves  as  a unique  number  identify- 
ing a message,  and  is  typically  used  to  detect  message  replay.  For  stored  files,  sequence 
numbers  may  serve  as  version  numbers  for  the  file  in  question.  Sequence  numbers  are  spe- 
cific to  a particular  pair  of  entities,  and  must  explicitly  or  implicitly  be  associated  with  both 
the  originator  and  recipient  of  a message;  distinct  sequences  are  customarily  necessary  for 
messages  from  ,4  to  13  and  from  B to  A. 

Parties  follow  a pre-defined  policy  for  message  numbering.  A message  is  accepted  only 
if  the  sequence  number  therein  has  not  been  used  previously  (or  not  used  previously  within 
a specified  time  period),  and  satisfies  the  agreed  policy.  The  simplest  policy  is  that  a se- 
quence number  starts  at  zero,  is  incremented  sequentially,  and  each  successive  message 
has  a number  one  greater  than  the  previous  one  received.  A less  restrictive  policy  is  that 
sequence  numbers  need  (only)  be  monotonically  increasing;  this  allows  for  lost  messages 
due  to  non-malicious  communications  errors,  but  precludes  detection  of  messages  lost  due 
to  adversarial  intervention. 

10.13  Remark  (disadvantages  of  sequence  numbers)  Use  of  sequence  numbers  requires  an  over- 
head as  follows:  each  claimant  must  record  and  maintain  long-term  pairwise  state  infor- 
mation for  each  possible  verifier,  sufficient  to  determine  previously  used  and/or  still  valid 
sequence  numbers.  Special  procedures  (e.g.,  for  resetting  sequence  numbers)  may  be  neces- 
sary following  circumstances  disrupting  normal  sequencing  (e.g.,  system  failures).  Forced 
delays  are  not  detectable  in  general.  As  a consequence  of  the  overhead  and  synchronization 
necessary,  sequence  numbers  are  most  appropriate  for  smaller,  closed  groups. 

(iii)  Timestamps 

Timestamps  may  be  used  to  provide  timeliness  and  uniqueness  guarantees,  to  detect  mes- 
sage replay.  They  may  also  be  used  to  implement  time -limited  access  privileges,  and  to 
detect  forced  delays. 
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Timestamps  function  as  follows.  The  party  originating  a message  obtains  a timestamp 
from  its  local  (host)  clock,  and  cryptographically  binds  it  to  a message.  Upon  receiving  a 
time-stamped  message,  the  second  party  obtains  the  current  time  from  its  own  (host)  clock, 
and  subtracts  the  timestamp  received.  The  received  message  is  valid  provided: 

1 . the  timestamp  difference  is  within  the  acceptance  window  (a  fixed-size  time  interval, 
e.g.,  10  milliseconds  or  20  seconds,  selected  to  account  for  the  maximum  message 
transit  and  processing  time,  plus  clock  skew);  and 

2.  (optionally)  no  message  with  an  identical  timestamp  has  been  previously  received 
from  the  same  originator.  This  check  may  be  made  by  the  verifier  maintaining  a list 
of  all  timestamps  received  from  each  source  entity  within  the  current  acceptance  win- 
dow. Another  method  is  to  record  the  latest  (valid)  timestamp  used  by  each  source 
(in  this  case  the  verifier  accepts  only  strictly  increasing  time  values). 

The  security  of  timestamp-based  verification  relies  on  use  of  a common  time  reference. 
This  requires  that  host  clocks  be  available  and  both  “loosely  synchronized”  and  secured 
from  modification.  Synchronization  is  necessary  to  counter  clock  drift,  and  must  be  appro- 
priate to  accommodate  the  acceptance  window  used.  The  degree  of  clock  skew  allowed, 
and  the  acceptance  window,  must  be  appropriately  small  to  preclude  message  replay  if  the 
above  optional  check  is  omitted.  The  timeclock  must  be  secure  to  prevent  adversarial  re- 
setting of  a clock  backwards  so  as  to  restore  the  validity  of  old  messages,  or  setting  a clock 
forward  to  prepare  a message  for  some  future  point  in  time  (cf.  Note  10.7). 

10.14  Remark  ( disadvantages  of  timestamps)  Timestamp-based  protocols  require  that  time- 
clocks  be  both  synchronized  and  secured.  The  preclusion  of  adversarial  modification  of 
local  timeclocks  is  difficult  to  guarantee  in  many  distributed  environments;  in  this  case, 
the  security  provided  must  be  carefully  re-evaluated.  Maintaining  lists  of  used  timestamps 
within  the  current  window  has  the  drawback  of  a potentially  large  storage  requirement,  and 
corresponding  verification  overhead.  While  technical  solutions  exist  for  synchronizing  dis- 
tributed clocks,  if  synchronization  is  accomplished  via  network  protocols,  such  protocols 
themselves  must  be  secure,  which  typically  requires  authentication;  this  leads  to  a circular 
security  argument  if  such  authentication  is  itself  timestamp-based. 

10.15  Remark  ( comparison  of  time-variant  parameters)  Timestamps  in  protocols  offer  the  ad- 
vantage of  fewer  messages  (typically  by  one),  and  no  requirement  to  maintain  pairwise 
long-term  state  information  (cf.  sequence  numbers)  or  per-connection  short-term  state  in- 
formation ( cf.  random  numbers).  Minimizing  state  information  is  particularly  important  for 
servers  in  client-server  applications.  The  main  drawback  of  timestamps  is  the  requirement 
of  maintaining  secure,  synchronized  distributed  timeclocks.  Timestamps  in  protocols  may 
typically  be  replaced  by  a random  number  challenge  plus  a return  message. 


10.3.2  Challenge-response  by  symmetric-key  techniques 

Challenge-response  mechanisms  based  on  symmetric-key  techniques  require  the  claimant 
and  the  verifier  to  share  a symmetric  key.  For  closed  systems  with  a small  number  of  users, 
each  pair  of  users  may  share  a key  a priori;  in  larger  systems  employing  symmetric-key 
techniques,  identification  protocols  often  involve  the  use  of  a trusted  on-line  server  with 
which  each  party  shares  a key.  The  on-line  server  effectively  acts  like  the  hub  of  a spoked 
wheel,  providing  a common  session  key  to  two  parties  each  time  one  requests  authentication 
with  the  other. 
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The  apparent  simplicity  of  the  techniques  presented  below  and  in  § 10.3.3  is  misleading. 
The  design  of  such  techniques  is  intricate  and  the  security  is  brittle;  those  presented  have 
been  carefully  selected. 

(i)  Challenge-response  based  on  symmetric-key  encryption 

Both  the  Kerberos  protocol  (Protocol  12.24)  and  the  Needham-Schroeder  shared-key  pro- 
tocol (Protocol  12.26)  provide  entity  authentication  based  on  symmetric  encryption  and  in- 
volve use  of  an  on-line  trusted  third  party.  These  are  discussed  in  Chapter  12,  as  they  addi- 
tionally provide  key  establishment. 

Below,  three  simple  techniques  based  on  ISO/IEC  9798-2  are  described.  They  assume 
the  prior  existence  of  a shared  secret  key  (and  no  further  requirement  for  an  on-line  server). 
In  this  case,  two  parties  may  carry  out  unilateral  entity  authentication  in  one  pass  using 
timestamps  or  sequence  numbers,  or  two  passes  using  random  numbers;  mutual  authen- 
tication requires,  respectively,  two  and  three  passes.  The  claimant  corroborates  its  identity 
by  demonstrating  knowledge  of  the  shared  key  by  encrypting  a challenge  (and  possibly  ad- 
ditional data)  using  the  key.  These  techniques  are  similar  to  those  given  in  §12.3.1. 

10.16  Remark  (data  integrity ) When  encipherment  is  used  in  entity  authentication  protocols, 
data  integrity  must  typically  also  be  guaranteed  to  ensure  security.  For  example,  for  mes- 
sages spanning  more  than  one  block,  the  rearrangement  of  ciphertext  blocks  cannot  be  de- 
tected in  the  ECB  mode  of  block  encryption,  and  even  CBC  encryption  may  provide  only 
a partial  solution.  Such  data  integrity  should  be  provided  through  use  of  an  accepted  data 
integrity  mechanism  (see  §9.6;  cf.  Remark  12.19). 

9798-2  mechanisms:  Regarding  notation:  ry  and  tA,  respectively,  denote  a random  num- 
ber and  a timestamp,  generated  by  A.  (In  these  mechanisms,  the  timestamp  tA  may  be  re- 
placed by  a sequence  number  nA,  providing  slightly  different  guarantees.)  Ek  denotes  a 
symmetric  encryption  algorithm,  with  a key  K shared  by  A and  13:  alternatively,  distinct 
keys  Kab  and  Kba  may  be  used  for  unidirectional  communication.  It  is  assumed  that  both 
parties  are  aware  of  the  claimed  identity  of  the  other,  either  by  context  or  by  additional  ( un- 
secured) cleartext  data  fields.  Optional  message  fields  are  denoted  by  an  asterisk  (*),  while 
a comma  (,)  within  the  scope  of  Ek  denotes  concatenation. 

1.  unilateral  authentication,  timestamp-based: 

A B : EK(tA,  B*)  (1) 

Upon  reception  and  decryption,  B verifies  that  the  timestamp  is  acceptable,  and  op- 
tionally verifies  the  received  identifier  as  its  own.  The  identifier  B here  prevents  an 
adversary  from  re-using  the  message  immediately  on  A,  in  the  case  that  a single  bi- 
directional key  K is  used. 

2.  unilateral  authentication,  using  random  numbers: 

To  avoid  reliance  on  timestamps,  the  timestamp  may  be  replaced  by  a random  num- 
ber, at  the  cost  of  an  additional  message: 

A^B:rB  (1) 

A^B:EK(rB,B*)  (2) 

B decrypts  the  received  message  and  checks  that  the  random  number  matches  that 
sent  in  (1).  Optionally,  B checks  that  the  identifier  in  (2)  is  its  own;  this  prevents 
a reflection  attack  in  the  case  of  a bi-directional  key  K.  To  prevent  chosen-text  at- 
tacks on  the  encryption  scheme  Ek,  A may  (as  below)  embed  an  additional  random 
number  in  (2)  or,  alternately,  the  form  of  the  challenges  can  be  restricted;  the  critical 
requirement  is  that  they  be  non-repeating. 
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3.  mutual  authentication,  using  random  numbers : 

A^B:rB  (1) 

A~>  B :EK(rA,rB,  B*)  (2) 

A i-  B : EK(rB,rA)  (3) 

Upon  reception  of  (2),  B carries  out  the  checks  as  above  and,  in  addition,  recovers  the 
decrypted  r,\  for  inclusion  in  (3).  Upon  decrypting  (3),  A checks  that  both  random 
numbers  match  those  used  earlier.  The  second  random  number  r_t  in  (2)  serves  both 
as  a challenge  and  to  prevent  chosen-text  attacks. 

10.17  Remark  ( doubling  unilateral  authentication ) While  mutual  authentication  may  be  obtain- 
ed by  running  any  of  the  above  unilateral  authentication  mechanisms  twice  (once  in  each 
direction),  such  an  ad-hoc  combination  suffers  the  drawback  that  the  two  unilateral  authen- 
tications, not  being  linked,  cannot  logically  be  associated  with  a single  protocol  run. 

(ii)  Challenge-response  based  on  (keyed)  one-way  functions 

The  encryption  algorithm  in  the  above  mechanisms  may  be  replaced  by  a one-way  or  non- 
reversible  function  of  the  shared  key  and  challenge,  e.g.,  having  properties  similar  to  a MAC 
(Definition  9.7).  This  may  be  preferable  in  situations  where  encryption  algorithms  are  oth- 
erwise unavailable  or  undesirable  (e.g.,  due  to  export  restrictions  or  computational  costs). 
The  modifications  required  to  the  9798-2  mechanisms  above  (yielding  the  analogous  mech- 
anisms of  ISO/IEC  9798-4)  are  the  following: 

1.  the  encryption  function  Ek  is  replaced  by  a MAC  algorithm  hx\ 

2.  rather  than  decrypting  and  verifying  that  fields  match,  the  recipient  now  indepen- 
dently computes  the  MAC  value  from  known  quantities,  and  accepts  if  the  computed 
MAC  matches  the  received  MAC  value;  and 

3.  to  enable  independent  MAC  computation  by  the  recipient,  the  additional  cleartext 
field  Ia  must  be  sent  in  message  (1)  of  the  one-pass  mechanism.  r \ must  be  sent  as 
an  additional  cleartext  field  in  message  (2)  of  the  three-pass  mechanism. 

The  revised  three -pass  challenge-response  mechanism  based  on  a MAC  Iik,  with  ac- 
tions as  noted  above,  provides  mutual  identification.  Essentially  the  same  protocol,  called 
SKID3,  has  messages  as  follows: 


A + 

- B : 

rB 

(1) 

A ->  B : 

f Ai  hK(rA,rB,B) 

(2) 

A 4- 

- B : 

hK{rB,rA,A ) 

(3) 

Note  that  the  additional  field  A is  included  in  message  (3).  The  protocol  SKID2 , obtained 
by  omitting  the  third  message,  provides  unilateral  entity  authentication. 

(iii)  Implementation  using  hand-held  passcode  generators 

Answering  a challenge  in  challenge-response  protocols  requires  some  type  of  computing 
device  and  secure  storage  for  long-term  keying  material  (e.g.,  a file  on  a trusted  local  disk, 
perhaps  secured  under  a local  password-derived  key).  For  additional  security,  a device  such 
as  a chipcard  ( and  corresponding  card  reader)  may  be  used  for  both  the  key  storage  and 
response  computation.  In  some  cases,  a less  expensive  option  is  a passcode  generator. 

Passcode  generators  are  hand-held  devices,  resembling  thin  calculators  in  both  size 
and  display,  and  which  provide  time-variant  passwords  or  passcodes  (see  Figure  10.3).  The 
generator  contains  a device-specific  secret  key.  When  a user  is  presented  with  a challenge 
(e.g.,  by  a system  displaying  it  on  a computer  terminal),  the  challenge  is  keyed  into  the  gen- 
erator. The  generator  displays  a passcode,  computed  as  a function  of  the  secret  key  and  the 
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challenge;  this  may  be  either  an  asymmetric  function,  or  a symmetric  function  (e.g.,  encryp- 
tion or  MAC  as  discussed  above).  The  user  returns  the  response  (e.g.,  keys  the  passcode  in 
at  his  terminal),  which  the  system  verifies  by  comparison  to  an  independently  computed 
response,  using  the  same  information  stored  on  the  system  side. 

For  further  protection  against  misplaced  generators,  the  response  may  also  depend  on  a 
user-entered  PIN.  Simpler  passcode  generators  omit  the  user  keypad,  and  use  as  an  implicit 
challenge  a time  value  (with  a typical  granularity  of  one  minute)  defined  by  a timeclock 
loosely  synchronized  automatically  between  the  system  and  the  passcode  generator.  A more 
sophisticated  device  combines  implicit  synchronization  with  explicit  challenges,  presenting 
an  explicit  challenge  only  when  synchronization  is  lost. 

A drawback  of  systems  using  passcode  generators  is,  as  per  §10.2.1  (i),  the  requirement 
to  provide  confidentiality  for  user  passwords  stored  on  the  system  side. 


A (user)  B (system) 


REJECT 


Figure  10.3:  Functional  diagram  of  a hand-held  passcode  generator:  sa  is  A 's  user-specific  secret, 
f is  a one-way  function.  The  (optional)  PIN  could  alternatively  be  locally  verified  in  the  passcode 
generator  only,  making  y independent  of  it. 


10.3.3  Challenge-response  by  public-key  techniques 

Public-key  techniques  may  be  used  for  challenge-response  based  identification,  with  a 
claimant  demonstrating  knowledge  of  its  private  key  in  one  of  two  ways  (cf.  §12.5): 

1.  the  claimant  decrypts  a challenge  encrypted  under  its  public  key; 

2.  the  claimant  digitally  signs  a challenge. 

Ideally,  the  public-key  pair  used  in  such  mechanisms  should  not  be  used  for  other  pur- 
poses, since  combined  usage  may  compromise  security  (Remark  10.40).  A second  caution 
is  that  the  public-key  system  used  should  not  be  susceptible  to  chosen-ciphertext  attacks,5 

°Both  chosen-ciphertext  and  chosen-plaintext  attacks  are  of  concern  for  challenge-response  techniques  based 
on  symmetric-key  encryption. 
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as  an  adversary  may  attempt  to  extract  information  by  impersonating  a verifier  and  choos- 
ing strategic  rather  than  random  challenges.  (See  Notes  8.13  and  8.58  regarding  the  Ra- 
bin/Williams and  Blum-Goldwasser  schemes.) 

Incorporating  a self-generated  random  number  or  confounder  (§10.5)  into  the  data  over 
which  the  response  is  computed  may  address  both  of  these  concerns.  Such  data  may  be 
made  available  to  the  verifier  in  cleartext  to  allow  verification. 

(i)  Challenge-response  based  on  public-key  decryption 

Identification  based  on  PK  decryption  and  witness.  Consider  the  following  protocol: 

A^B:  h(r),  B,  PA(r,  B)  (1) 

B : r (2) 

B chooses  a random  r,  computes  the  witness  x = h(r ) (x  demonstrates  knowledge  of  r 
without  disclosing  it  - cf.  §10.4.1),  and  computes  the  challenge  e = Pa  (r,  B).  Here  Pa 
denotes  the  public-key  encryption  (e.g.,  RSA)  algorithm  of  A , and  h denotes  a one-way 
hash  function.  B sends  (1)  to  A.  A decrypts  e to  recover  r'  and  B',  computes  x'  = /i(r'), 
and  quits  if  x'  A x (implying  r'  A r)  or  if  B'  is  not  equal  to  its  own  identifier  B.  Otherwise, 
A sends  r — r’  to  B.  B succeeds  with  (unilateral)  entity  authentication  of  A upon  verify- 
ing the  received  r agrees  with  that  sent  earlier.  The  use  of  the  witness  precludes  chosen-text 
attacks. 

Modified  Needhani-SchroederPK  protocol  for  identification.  The  modified  Needham-Schr- 
oeder  public-key  protocol  of  Note  12.39  provides  key  transport  of  distinct  keys  k\,  k->  from 
A to  B and  B to  A,  respectively,  as  well  as  mutual  authentication.  If  the  key  establishment 
feature  is  not  required,  k\  and  k->  may  be  omitted.  With  PB  denoting  the  public-key  encryp- 
tion algorithm  for  B (e.g.,  RSA),  the  messages  in  the  modified  protocol  for  identification 
are  then  as  follows: 

A B : PB{ri,A)  (1) 

A<-B:  P^(r1;r2)  (2) 

A^B:  r2  (3) 

Verification  actions  are  analogous  to  those  of  Note  12.39. 

(ii)  Challenge-response  based  on  digital  signatures 

X.509  mechanisms  based  on  digital  signatures.  The  ITU-T  (formerly  CCITT)  X.509  two- 
and  three-way  strong  authentication  protocols  specify  identification  techniques  based  on 
digital  signatures  and,  respectively,  timestamps  and  random  number  challenges.  These  are 
described  in  § 12.5.2,  and  optionally  provide  key  establishment  in  addition  to  entity  authen- 
tication. 

9798-3  mechanisms.  Three  challenge-response  identification  mechanisms  based  on  signa- 
tures are  given  below,  analogous  to  those  in  §10.3.2(i)  based  on  symmetric-key  encryption, 
but,  in  this  case,  corresponding  to  techniques  in  ISO/IEC  9798-3.  Regarding  notation  (cf. 
9798-2  above):  r \ and  1a.  respectively,  denote  a random  number  and  timestamp  generated 
by  A.  Sa  denotes  A’s  signature  mechanism;  if  this  mechanism  provides  message  recovery, 
some  of  the  cleartext  fields  listed  below  are  redundant  and  may  be  omitted,  cert  a denotes 
the  public-key  certificate  containing  A’s  signature  public  key.  (In  these  mechanisms,  if  the 
verifier  has  the  authentic  public  key  of  the  claimant  a priori,  certificates  may  be  omitted; 
otherwise,  it  is  assumed  that  the  verifier  has  appropriate  information  to  verify  the  validity 
of  the  public  key  contained  in  a received  certificate  - see  Chapter  13.)  Remark  10.17  also 
applies  here. 
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1.  unilateral  authentication  with  timestamps: 

A -»  B : certA,tA,B,SA(tA,B)  (1) 

Upon  reception,  B verifies  that  the  timestamp  is  acceptable,  the  received  identifier  B 
is  its  own,  and  (using  A’s  public  key  extracted  from  cert  a after  verifying  the  latter) 
checks  that  the  signature  over  these  two  fields  is  correct. 

2.  unilateral  authentication  with  random  numbers:  Reliance  on  timestamps  may  be  re- 
placed by  a random  number,  at  the  cost  of  an  additional  message: 

A^B:rB  (1) 

A—t  B : certA,rA,B,SA(rA,rB,B)  (2) 

B verifies  that  the  cleartext  identifier  is  its  own,  and  using  a valid  signature  public  key 
for  A (e.g.,  from  certA),  verifies  that  ,4’s  signature  is  valid  over  the  cleartext  random 
number  rA,  the  same  number  rB  as  sent  in  (1),  and  this  identifier.  The  signed  rA 
explicitly  prevents  chosen-text  attacks. 

3.  mutual  authentication  with  random  numbers: 

A^B:rB  (1) 

A ->  B : certA,rA,B,SA(rA,rB,B)  (2) 

Air-  B : certB,A,SB(rB,rA,A)  (3) 

Processing  of  (1)  and  (2)  is  as  above;  (3)  is  processed  analogously  to  (2). 


10.4  Customized  and  zero-knowledge  identification 
protocols 

This  section  considers  protocols  specifically  designed  to  achieve  identification,  which  use 
asymmetric  techniques  but  do  not  rely  on  digital  signatures  or  public-key  encryption,  and 
which  avoid  use  of  block  ciphers,  sequence  numbers,  and  timestamps.  They  are  similar 
in  some  regards  to  the  challenge-response  protocols  of  §10.3,  but  are  based  on  the  ideas 
of  interactive  proof  systems  and  zero-knowledge  proofs  (see  §10.4.1),  employing  random 
numbers  not  only  as  challenges,  but  also  as  commitments  to  prevent  cheating. 


10.4.1  Overview  of  zero-knowledge  concepts 

A disadvantage  of  simple  password  protocols  is  that  when  a claimant  A (called  a prover  in 
the  context  of  zero-knowledge  protocols)  gives  the  verifier  B her  password,  B can  there- 
after impersonate  A.  Challenge-response  protocols  improve  on  this:  A responds  to  B’s 
challenge  to  demonstrate  knowledge  of  A’s  secret  in  a time-variant  manner,  providing  in- 
formation not  directly  reusable  by  B.  This  might  nonetheless  reveal  some  partial  informa- 
tion about  the  claimant’s  secret;  an  adversarial  verifier  might  also  be  able  to  strategically 
select  challenges  to  obtain  responses  providing  such  information  (see  chosen-text  attacks, 
§10.5). 

Zero-knowledge  (ZK)  protocols  are  designed  to  address  these  concerns,  by  allowing 
a prover  to  demonstrate  knowledge  of  a secret  while  revealing  no  information  whatsoever 
(beyond  what  the  verifier  was  able  to  deduce  prior  to  the  protocol  run)  of  use  to  the  verifier 
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in  conveying  this  demonstration  of  knowledge  to  others.  The  point  is  that  only  a single  bit 
of  information  need  be  conveyed  - namely,  that  the  prover  actually  does  know  the  secret. 

More  generally,  a zero-knowledge  protocol  allows  a proof  of  the  truth  of  an  assertion, 
while  conveying  no  information  whatsoever  (this  notion  can  be  quantified  in  a rigorous 
sense)  about  the  assertion  itself  other  than  its  actual  truth.  In  this  sense,  a zero-knowledge 
proof  is  similar  to  an  answer  obtained  from  a (trusted)  oracle. 

(i)  Interactive  proof  systems  and  zero-knowledge  protocols 

The  ZK  protocols  to  be  discussed  are  instances  of  interactive  proof  systems,  wherein  a prov- 
er and  verifier  exchange  multiple  messages  (challenges  and  responses),  typically  dependent 
on  random  numbers  (ideally:  the  outcomes  of  fair  coin  tosses)  which  they  may  keep  secret. 
The  plover’s  objective  is  to  convince  {prove  to)  the  verifier  the  truth  of  an  assertion,  e.g., 
claimed  knowledge  of  a secret.  The  verifier  either  accepts  or  rejects  the  proof.  The  tradi- 
tional mathematical  notion  of  a proof,  however,  is  altered  to  an  interactive  game  wherein 
proofs  are  probabilistic  rather  than  absolute;  a proof  in  this  context  need  be  correct  only 
with  bounded  probability,  albeit  possibly  arbitrarily  close  to  1 . For  this  reason,  an  interac- 
tive proof  is  sometimes  called  a proof  by  protocol. 

Interactive  proofs  used  for  identification  may  be  formulated  as  proofs  of  knowledge. 
A possesses  some  secret  s,  and  attempts  to  convince  B it  has  knowledge  of  s by  correctly 
responding  to  queries  (involving  publicly  known  inputs  and  agreed  upon  functions)  which 
require  knowledge  of  s to  answer.  Note  that  proving  knowledge  of  s differs  from  proving 
that  such  s exists  - for  example,  proving  knowledge  of  the  prime  factors  of  n differs  from 
proving  that  n is  composite. 

An  interactive  proof  is  said  to  be  a proof  of  knowledge  if  it  has  both  the  properties  of 
completeness  and  soundness.  Completeness  may  be  viewed  as  the  customary  requirement 
that  a protocol  functions  properly  given  honest  participants. 

10.18  Definition  ( completeness  property)  An  interactive  proof  (protocol)  is  complete  if,  given 
an  honest  prover  and  an  honest  verifier,  the  protocol  succeeds  with  overwhelming  probabil- 
ity (i.e.,  the  verifier  accepts  the  plover’s  claim).  The  definition  of  overwhelming  depends 
on  the  application,  but  generally  implies  that  the  probability  of  failure  is  not  of  practical 
significance. 

10.19  Definition  ( soundness  property)  An  interactive  proof  (protocol)  is  sound  if  there  exists  an 
expected  polynomial-time  algorithm  M with  the  following  property:  if  a dishonest  prover 
(impersonating  A)  can  with  non-negligible  probability  successfully  execute  the  protocol 
with  B,  then  M can  be  used  to  extract  from  this  prover  knowledge  (essentially  equivalent 
to  A’s  secret)  which  with  overwhelming  probability  allows  successful  subsequent  protocol 
executions. 

An  alternate  explanation  of  the  condition  in  Definition  10.19  is  as  follows:  the  plover’s  se- 
cret s together  with  public  data  satisfies  some  polynomial-time  predicate,  and  another  so- 
lution of  this  predicate  (possibly  the  same)  can  be  extracted,  allowing  successful  execution 
of  subsequent  protocol  instances. 

Since  any  party  capable  of  impersonating  A must  know  the  equivalent  of  A’s  secret 
knowledge  (M  can  be  used  to  extract  it  from  this  party  in  polynomial  time),  soundness  guar- 
antees that  the  protocol  does  indeed  provide  a proof  of  knowledge  - knowledge  equivalent 
to  that  being  queried  is  required  to  succeed.  Soundness  thus  prevents  a dishonest  prover 
from  convincing  an  honest  verifier  (but  does  does  not  by  itself  guarantee  that  acquiring  the 
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plover’s  secret  is  difficult;  see  Remark  10.23).  A standard  method  to  establish  the  sound- 
ness of  a particular  protocol  is  to  assume  the  existence  of  a dishonest  prover  capable  of  suc- 
cessfully executing  the  protocol,  and  show  how  this  allows  one  to  compute  the  real  plover’s 
secret. 

While  an  interactive  proof  of  knowledge  (or  protocol  based  thereon)  must  be  sound 
to  be  of  cryptographic  use,  the  main  property  of  zero-knowledge  protocols  is  the  zero- 
knowledge  aspect  itself.  For  what  follows,  define  a transcript  (or  view)  to  be  the  collection 
of  messages  resulting  from  protocol  execution. 

10.20  Definition  ( zero-knowledge  property ) A protocol  which  is  a proof  of  knowledge  has  the 
zero-knowledge  property  if  it  is  simulatable  in  the  following  sense:  there  exists  an  expected 
polynomial-time  algorithm  ( simulator ) which  can  produce,  upon  input  of  the  assertion(s) 
to  be  proven  but  without  interacting  with  the  real  prover,  transcripts  indistinguishable  from 
those  resulting  from  interaction  with  the  real  prover. 

The  zero-knowledge  property  implies  that  a prover  executing  the  protocol  (even  when  in- 
teracting with  a malicious  verifier)  does  not  release  any  information  (about  its  secret  knowl- 
edge, other  than  that  the  particular  assertion  itself  is  true)  not  otherwise  computable  in 
polynomial  time  from  public  information  alone.  Thus,  participation  does  not  increase  the 
chances  of  subsequent  impersonation. 

10.21  Remark  ( simulated  ZK  protocols  and  protocol  observers)  Consider  an  observer  C who 
witnesses  a zero-knowledge  interactive  proof  (ZKIP)  involving  a prover  A convincing  a 
verifier  B (B  A C)  of  some  knowledge  A has.  The  “proof”  to  B does  not  provide  any 
guarantees  to  C.  (Indeed,  A and  B might  have  a prior  agreement,  conspiring  against  C, 
on  the  challenges  to  be  issued.)  Similarly,  a recorded  ZKIP  conveys  no  guarantees  upon 
playback.  This  is  fundamental  to  the  idea  of  the  zero-knowledge  property  and  the  condition 
that  proofs  be  simulatable  by  a verifier  alone.  Interactive  proofs  convey  knowledge  only  to 
(interactive)  verifiers  able  to  select  their  own  random  challenges. 

10.22  Definition  ( computational  vs.  perfect  zero-knowledge ) A protocol  is  computationally 
zero-knowledge  if  an  observer  restricted  to  probabilistic  polynomial-time  tests  cannot  dis- 
tinguish real  from  simulated  transcripts.  For  perfect  zero-knowledge,  the  probability  dis- 
tributions of  the  transcripts  must  be  identical.  By  convention,  when  not  further  qualified, 
zero-knowledge  means  computational  zero-knowledge. 

In  the  case  of  computational  zero-knowledge,  real  and  simulated  transcripts  are  said 
to  be  polynomially  indistinguishable  (indistinguishable  using  polynomial-time  algorithms). 
Any  information  extracted  by  a verifier  through  interaction  with  a prover  provides  no  ad- 
vantage to  the  verifier  within  polynomial  time. 

10.23  Remark  (ZK property  and  soundness  vs.  security)  The  zero-knowledge  property  (Defini- 
tion 10.20)  does  not  guarantee  that  a protocol  is  secure  (i.e.,  that  the  probability  of  it  being 
easily  defeated  is  negligible).  Similarly,  the  soundness  property  (Definition  10.19)  does  not 
guarantee  that  a protocol  is  secure.  Neither  property  has  much  value  unless  the  underlying 
problem  faced  by  an  adversary  is  computationally  hard. 

(ii)  Comments  on  zero-knowledge  vs.  other  asymmetric  protocols 

The  following  observations  may  be  made  regarding  zero-knowledge  (ZK)  techniques,  as 
compared  with  other  public -key  (PK)  techniques. 
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1.  no  degradation  with  usage:  protocols  proven  to  have  the  ZK  property  do  not  suffer 
degradation  of  security  with  repeated  use,  and  resist  chosen-text  attacks.  This  is  per- 
haps the  most  appealing  practical  feature  of  ZK  techniques. 

A ZK  technique  which  is  not  provably  secure  may  or  may  not  be  viewed  as  more 
desirable  than  a PK  technique  which  is  provably  secure  (e.g.,  as  difficult  as  factoring). 

2.  encryption  avoided:  many  ZK  techniques  avoid  use  of  explicit  encryption  algo- 
rithms. This  may  offer  political  advantages  (e.g.,  with  respect  to  export  controls). 

3.  efficiency:  while  some  ZK-based  techniques  are  extremely  efficient  (see  §10.4.5), 
protocols  which  formally  have  the  zero-knowledge  property  typically  have  higher 
communications  and/or  computational  overheads  than  PK  protocols  which  do  not. 
The  computational  efficiency  of  the  more  practical  ZK-based  schemes  arises  from 
their  nature  as  interactive  proofs,  rather  than  their  zero-knowledge  aspect. 

4.  unproven  assumptions:  many  ZK  protocols  (“proofs  of  knowledge”)  themselves  rely 
on  the  same  unproven  assumptions  as  PK  techniques  (e.g.,  the  intractability  of  fac- 
toring or  quadratic  residuosity). 

5.  ZK-based  vs.  ZK:  although  supported  by  prudent  underlying  principles,  many  tech- 
niques based  on  zero-knowledge  concepts  fall  short  of  formally  being  zero-knowled- 
ge and/or  formally  sound  in  practice,  due  to  parameter  selection  for  reasons  of  ef- 
ficiency, or  for  other  technical  reasons  (cf.  Notes  10.33  and  10.38).  In  fact,  many 
such  concepts  are  asymptotic,  and  do  not  apply  directly  to  practical  protocols  (Re- 
mark 10.34). 

(iii)  Example  of  zero-knowledge  proof:  Fiat-Shamir  identification  protocol 

The  general  idea  of  a zero-knowledge  (ZK)  proof  is  illustrated  by  the  basic  version  of  the 
Fiat-Shamir  protocol.  The  basic  version  is  presented  here  for  historical  and  illustrative  pur- 
poses (Protocol  10.24).  In  practice,  one  would  use  a more  efficient  variation,  such  as  Pro- 
tocol 10.26,  with  multiple  “questions”  per  iteration  rather  than  as  here,  where  B poses  only 
a single  one-bit  challenge  per  iteration. 

The  objective  is  for  A to  identify  itself  by  proving  knowledge  of  a secret  s (associated 
with  A through  authentic  public  data)  to  any  verifier  B , without  revealing  any  information 
about  s not  known  or  computable  by  B prior  to  execution  of  the  protocol  (see  Note  10.25). 
The  security  relies  on  the  difficulty  of  extracting  square  roots  modulo  large  composite  in- 
tegers n of  unknown  factorization,  which  is  equivalent  to  that  of  factoring  n (Fact  3.46). 


10.24  Protocol  Fiat-Shamir  identification  protocol  (basic  version) 

SUMMARY:  A proves  knowledge  of  s to  B in  t executions  of  a 3-pass  protocol. 

1 . One-time  setup. 

(a)  A trusted  center  T selects  and  publishes  an  RS  A-like  modulus  n = pq  but  keeps 
primes  p and  q secret. 

(b)  Each  claimant  A selects  a secret  s coprime  to  n,  1 < s <■  n — 1,  computes 
v = s2  mod  n,  and  registers  v with  T as  its  public  key.6 

2.  Protocol  messages.  Each  of  t rounds  has  three  messages  with  form  as  follows. 

x = r2  mod  n (1) 

e e {0, 1}  (2) 

y = r ■ se  mod  n (3) 

technically,  T should  verify  the  condition  gcd(s,  to)  = 1 or  equivalently  grd(v.  to)  = 1,  for  this  to  be  a 
sound  proof  of  knowledge;  and  B should  stop  with  failure  if  gcd(j/,  to)  ^ 1,  where  y is  /t's  response  in  the  third 
message.  But  either  condition  failing  would  allow  the  factorization  of  to,  violating  the  assumption  that  to  cannot 
be  factored. 


A-*  B 
A^  B 
B 
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3.  Protocol  actions.  The  following  steps  are  iterated  t times  (sequentially  and  indepen- 
dently). B accepts  the  proof  if  all  t rounds  succeed. 

(a)  A chooses  a random  ( commitment ) r,  1 < r < n — 1,  and  sends  (the  witness) 
x = r2  mod  n to  B. 

(b)  B randomly  selects  a ( challenge ) bit  e = 0 or  e = 1,  and  sends  e to  A. 

(c)  A computes  and  sends  to  B (the  response)  y.  either  y = r ( if  e — 0)  or  y — 
rs  mod  n (if  e = 1). 

(d)  B rejects  the  proof  if  y — 0,  and  otherwise  accepts  upon  verifying  y2  = x-ve 

(mod  n).  (Depending  on  e,y2  = x or  y2  = xv  mod  n,  since  v = s2  mod  n. 
Note  that  checking  for  y = 0 precludes  the  case  r = 0.) 


Protocol  10.24  may  be  explained  and  informally  justified  as  follows.  The  challenge  (or 
exam)  e requires  that  A be  capable  of  answering  two  questions,  one  of  which  demonstrates 
her  knowledge  of  the  secret  s.  and  the  other  an  easy  question  ( for  honest  pro  vers)  to  prevent 
cheating.  An  adversary  impersonating  A might  try  to  cheat  by  selecting  any  r and  setting 
x = r2 /v,  then  answering  the  challenge  c — 1 with  a “correct”  answer  y = r\  but  would 
be  unable  to  answer  the  exam  e = 0 which  requires  knowing  a square  root  of  x mod  n. 
A prover  A knowing  s can  answer  both  questions,  but  otherwise  can  at  best  answer  one 
of  the  two  questions,  and  so  has  probability  only  1/2  of  escaping  detection.  To  decrease 
the  probability  of  cheating  arbitrarily  to  an  acceptably  small  value  of  2 1 (e.g.,  t — 20  or 
t = 40),  the  protocol  is  iterated  t times,  with  B accepting  A’s  identity  only  if  all  t questions 
(over  t rounds)  are  successfully  answered. 

1 0.25  Note  ( secret  information  revealed  by  A)  The  response  y = r is  independent  of  A’s  secret  s, 
while  the  response  y = rs  mod  n also  provides  no  information  about  s because  the  random 
r is  unknown  to  B.  Information  pairs  (x,  y)  extracted  from  A could  equally  well  be  simu- 
lated by  a verifier  B alone  by  choosing  y randomly,  then  defining  x = y2  or  y2  jv  mod  n. 
While  this  is  not  the  method  by  which  A would  construct  such  pairs,  such  pairs  ( x , y)  have 
a probability  distribution  which  is  indistinguishable  from  those  A would  produce;  this  es- 
tablishes the  zero-knowledge  property.  Despite  the  ability  to  simulate  proofs,  B is  unable 
to  impersonate  A because  B cannot  predict  the  real-time  challenges. 

As  a minor  technical  point,  however,  the  protocol  does  reveal  a bit  of  information:  the 
answer  y = rs  provides  supporting  evidence  that  v is  indeed  a square  modulo  n,  and  the 
soundness  of  the  protocol  allows  one  to  conclude,  after  t.  successful  iterations,  that  this  is 
indeed  the  case. 

(iv)  General  structure  of  zero-knowledge  protocols 

Protocol  10.24  illustrates  the  general  structure  of  a large  class  of  three-move  zero-knowl- 
edge protocols: 

A — > B : witness 

A B : challenge 

A — > B : response 

The  prover  claiming  to  be  A selects  a random  element  from  a pre-defined  set  as  its  secret 
commitment  (providing  hidden  randomization  or  “private  coin  tosses”),  and  from  this  com- 
putes an  associated  (public)  witness.  This  provides  initial  randomness  for  variation  from 
other  protocol  runs,  and  essentially  defines  a set  of  questions  all  of  which  the  prover  claims 
to  be  able  to  answer,  thereby  a priori  constraining  her  forthcoming  response.  By  protocol 
design,  only  the  legitimate  party  A , with  knowledge  of  A’s  secret,  is  truly  capable  of  an- 
swering all  the  questions,  and  the  answer  to  any  one  of  these  provides  no  information  about 
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A’s  long-term  secret.  B's  subsequent  challenge  selects  one  of  these  questions.  A provides 
its  response,  which  B checks  for  correctness.  The  protocol  is  iterated,  if  necessary,  to  im- 
prove the  bound  limiting  the  probability  of  successful  cheating. 

Zero-knowledge  interactive  protocols  thus  combine  the  ideas  of  cut-and-choose  pro- 
tocols (this  terminology  results  from  the  standard  method  by  which  two  children  share  a 
piece  of  cake:  one  cuts,  the  other  chooses)  and  challenge-response  protocols.  A responds 
to  at  most  one  challenge  (question)  for  a given  witness,  and  should  not  reuse  any  witness; 
in  many  protocols,  security  (possibly  of  long-term  keying  material)  may  be  compromised 
if  either  of  these  conditions  is  violated. 


10.4.2  Feige-Fiat-Shamir  identification  protocol 

The  basic  version  of  the  Fiat-Shamir  protocol  is  presented  as  Protocol  10.24.  This  can  be 
generalized,  and  the  Feige-Fiat-Shamir  (FSS)  identification  protocol  (Protocol  10.26)  is  a 
minor  variation  of  such  a generalization.  The  FFS  protocol  involves  an  entity  identifying 
itself  by  proving  knowledge  of  a secret  using  a zero-knowledge  proof;  the  protocol  reveals 
no  partial  information  whatsoever  regarding  the  secret  identification  value(s)  of  A (cf.  Def- 
inition 10.20).  It  requires  limited  computation  (a  small  fraction  of  that  required  by  RSA  - 
see  §10.4.5),  and  is  thus  well-suited  for  applications  with  low-power  processors  (e.g.,  8-bit 
chipcard  microprocessors). 


10.26  Protocol  Feige-Fiat-Shamir  identification  protocol 

SUMMARY:  A proves  its  identity  to  B in  t executions  of  a 3-pass  protocol. 

1.  Selection  of  system  parameters.  A trusted  center  T publishes  the  common  modulus 
n = pq  for  all  users,  after  selecting  two  secret  primes  p and  q each  congruent  to 
3 mod  4,  and  such  that  n is  computationally  infeasible  to  factor.  (Consequently,  n 
is  a Blum  integer  per  §2.4.6,  and  —1  is  a quadratic  non-residue  mod  n with  Jacobi 
symbol  +1.)  Integers  k and  t are  defined  as  security  parameters  (see  Note  10.28). 

2.  Selection  of  per-entity  secrets.  Each  entity  A does  the  following. 

(a)  Select  k random  integers  «i,  S2,  ■ . . , in  the  range  1 < .s,  < n 1,  and  k 
random  bits  fq, . . . , bk-  (For  technical  reasons,  gcd(s,;,  n)  = 1 is  required,  but 
is  almost  surely  guaranteed  as  its  failure  allows  factorization  of  n.) 

(b)  Compute  Vj  = (— l)6'  • (sf  )_1  mod  n for  1 < i < k.  (This  allows  u,/  to  range 
over  all  integers  coprime  to  n with  Jacobi  symbol  +1,  a technical  condition  re- 
quired to  prove  that  no  secret  information  is  “leaked”;  by  choice  of  n,  precisely 
one  signed  choice  for  v,  has  a square  root.) 

(c)  A identifies  itself  by  non-cryptographic  means  (e.g.,  photo  id)  to  T,  which 

thereafter  registers  A’s  public  key  (iq , . . . , n),  while  only  A knows  its  pri- 

vate key  (si, . . . , .s'/,.)  and  n.  (To  guarantee  the  bounded  probability  of  attack 
specified  per  Note  10.28,  T may  confirm  that  each  v,  indeed  does  have  Jacobi 
symbol  +1  relative  to  n.)  This  completes  the  one-time  set-up  phase. 

3.  Protocol  messages.  Each  of  t rounds  has  three  messages  with  form  as  follows. 

A — > B : x (=  ±r2  mod  n)  (1) 

A <—  B : (ei, . . . , e*),  e*  £ {0, 1}  (2) 

A^B:  2/ (=r-nej=i«J  modn)  (3) 

4.  Protocol  actions.  The  following  steps  are  executed  t times;  B accepts  A’s  identity  if 
all  t rounds  succeed.  Assume  B has  A’s  authentic  public  key  (iq, . . . ,vj.\n)\  other- 
wise, a certificate  may  be  sent  in  message  (1),  and  used  as  in  Protocol  10.36. 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§ 10.4  Customized  and  zero-knowledge  identification  protocols 


411 


(a)  A chooses  a random  integer  r,  1 < r < n — 1,  and  a random  bit  6;  computes 
x = (— l)6  • r2  mod  n;  and  sends  x (the  witness)  to  B. 

(b)  B sends  to  A (the  challenge ,)  a random  &-bit  vector  (ei, . . . , e*,). 

(c)  A computes  and  sends  to  B (the  response ):  y = r • Hj=i  sjJ  m°d  n (the  prod- 
uct of  r and  those  Sj  specified  by  the  challenge). 

(d)  B computes  z = y2  ■ IIj=i  vjJ  mod  n,  and  verifies  that  z = ±x  and  z / 0. 
(The  latter  precludes  an  adversary  succeeding  by  choosing  r = 0.) 


10.27  Example  ( Feige  -Fiat-Shamir  protocol  with  artificially  small  parameters) 

1.  The  trusted  center  T selects  the  primes  p = 683,  q = 811,  and  publishes  n = pq  = 
553913.  Integers  k = 3 and  t = 1 are  defined  as  security  parameters. 

2.  Entity  A does  the  following. 

(a)  Selects  3 random  integers  si  = 157,  s2  = 43215,  S3  = 4646,  and  3 bits  b\  = 1, 

b2  = 0,  63  = 1. 

(b)  Computes  v3  = 441845,  v2  = 338402,  and  v3  = 124423. 

(c)  A’s  public  key  is  (441845, 338402, 124423;  553913)  and  private  key  is  (157, 
43215,4646). 

3.  See  Protocol  10.26  for  a summary  of  the  messages  exchanged. 

4.  (a)  A chooses  r = 1279,  6=1,  computes  x = 25898,  and  sends  this  to  B. 

(b)  B sends  to  A the  3-bit  vector  (0, 0, 1). 

(c)  A computes  and  sends  to  B y = r ■ s3  mod  n = 403104. 

(d)  B computes  z = y2-v 3 mod  n = 25898  and  accepts  A’s  identity  since  2 = +x 

and  z / 0.  □ 

10.28  Note  (security  of  Feige-Fiat-Shamir  identification  protocol) 

(i)  probability  of  forgery.  Protocol  10.26  is  provably  secure  against  chosen  message  at- 
tack in  the  following  sense:  provided  that  factoring  n is  difficult,  the  best  attack  has 
a probability  2~kt  of  successful  impersonation. 

(ii)  security  assumption  required.  The  security  relies  on  the  difficulty  of  extracting  square 
roots  modulo  large  composite  integers  n of  unknown  factorization.  This  is  equivalent 
to  that  of  factoring  n (see  Fact  3.46). 

(iii)  zero-knowledge  and  soundness.  The  protocol  is,  relative  to  a trusted  server,  a (sound) 
zero-knowledge  proof  of  knowledge  provided  k = O(loglogn)  and  t = 0(logn). 
See  Remark  10.34  regarding  the  practical  significance  of  such  constraints.  A simplis- 
tic view  for  fixed  k is  that  the  verifier,  interested  in  soundness,  favors  larger  t (more 
iterations)  for  a decreased  probability  of  fraud;  while  the  prover,  interested  in  zero- 
knowledge,  favors  smaller  t. 

(iv)  parameter  selection.  Choosing  k and  t such  that  kt  = 20  allows  a 1 in  a million 
chance  of  impersonation,  which  suffices  in  the  case  that  an  identification  attempt  re- 
quires a personal  appearance  by  a would-be  impersonator  (see  §10.5).  Computation, 
memory,  and  communication  can  be  traded  off;  1 < k < 18  was  originally  suggested 
as  appropriate.  Specific  parameter  choices  might  be,  for  security  2-20:  k = 5,  t = 4; 
for  2“30:  k = 6,  t = 5. 

(v)  security  trade-off.  Both  computation  and  communication  may  be  reduced  by  trading 
off  security  parameters  to  yield  a single  iteration  ( t.  = 1),  holding  the  product  kt 
constant  and  increasing  k while  decreasing  t;  however,  in  this  case  the  protocol  is  no 
longer  a zero-knowledge  proof  of  knowledge. 
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10.29  Note  (modifications  to  Feige-Fiat-Shamir) 

(i)  As  an  alternative  to  step  1 of  Protocol  10.26,  each  user  may  pick  its  own  such  modulus 
n.  T is  still  needed  to  associate  each  user  with  its  modulus. 

(ii)  The  communication  complexity  can  be  reduced  if  A sends  B (e.g.,  128  bits  of)  a hash 
value  h(x)  instead  of  x in  message  (1),  with  B' s verification  modified  accordingly. 

(iii)  The  scheme  can  be  made  identity-based  as  follows  (cf.  §13.4.3).  T assigns  a disting- 
uished identifying  string  L\  to  each  party  A (e.g.,  A's  name,  address,  or  other  infor- 
mation which  a verifier  may  wish  to  corroborate).  A’s  public  values  vt,  1 < i < k 
are  then  derived  by  both  T and  other  parties  B as  v,  = f (I a , i)  using  an  appropri- 
ate function  /.  Then  the  trusted  center,  knowing  the  factorization  of  n,  computes  a 
square  root  s*  of  each  u,  and  gives  these  to  A. 

As  an  example  of  /,  consider,  for  a randomly  chosen  but  known  value  c,  /( I a , i)  = 
I A + i + c mod  n.  Since  a square  root  of  /,  = J(Ia,  i)  is  required,  any  fi  with 
Jacobi  symbol  —1  mod  n may  be  multiplied  by  a fixed  number  with  Jacobi  symbol 
— 1.  A non-residue  /,  with  Jacobi  +1  may  be  either  discarded  (A  must  then  indicate 
to  B,  e.g.,  in  message  (3),  which  values  i allow  computation  of  the  vj);  or  mapped 
to  a residue  via  multiplication  by  —1,  again  with  an  indication  to  B of  this  to  allow 
computation  of  vj . Note  that  both  cases  for  dealing  with  a non-residue  f , with  Jacobi 
+1  reveal  some  (non-useful)  information. 

(iv)  The  parallel  version  of  the  protocol,  in  which  each  of  three  messages  contains  the 
respective  data  for  all  t rounds  simultaneously,  can  be  shown  to  be  secure  (it  releases 
no  “transferable  information”),  but  for  technical  reasons  loses  the  zero-knowledge 
property.  Such  parallel  execution  (as  opposed  to  sequential  iteration)  in  interactive 
proofs  allows  the  probability  of  error  ( forgery)  to  be  decreased  without  increasing  the 
number  of  rounds. 

1 0.30  Note  ( converting  identification  to  signature  scheme)  The  following  general  technique  may 
be  used  to  convert  an  identification  scheme  involving  a witness-challenge-response  sequen- 
ce to  a signature  scheme:  replace  the  random  challenge  e of  the  verifier  by  the  one-way 
hash  e = h(x\\m),  of  the  concatenation  of  the  witness  x and  the  message  m to  be  signed  (h 
essentially  plays  the  role  of  verifier).  As  this  converts  an  interactive  identification  scheme  to 
a non-interactive  signature  scheme,  the  bitsize  of  the  challenge  e must  typically  be  increased 
to  preclude  off-line  attacks  on  the  hash  function. 


10.4.3  GQ  identification  protocol 

The  Guillou-Quisquater  (GQ)  identification  scheme  (Protocol  10.31)  is  an  extension  of  the 
Fiat-Shamir  protocol.  It  allows  a reduction  in  both  the  number  of  messages  exchanged  and 
memory  requirements  for  user  secrets  and,  like  Fiat-Shamir,  is  suitable  for  applications  in 
which  the  claimant  has  limited  power  and  memory.  It  involves  three  messages  between  a 
claimant  A whose  identity  is  to  be  corroborated,  and  a verifier  B. 


10.31  Protocol  GQ  identification  protocol 

SUMMARY:  A proves  its  identity  (via  knowledge  of  syi)  to  B in  a 3-pass  protocol. 

1.  Selection  of  system  parameters. 

(a)  An  authority  T,  trusted  by  all  parties  with  respect  to  binding  identities  to  public 
keys,  selects  secret  random  RSA-like  primes  p and  q yielding  a modulus  n = 
pq.  (As  for  RSA,  it  must  be  computationally  infeasible  to  factor  n.) 
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(b)  T defines  a public  exponents  > 3withgcd(u,  (j>)  = 1 where  <)>  = (p—  l)(q— 1), 
and  computes  its  private  exponent  s = v 1 mod  fi.  (See  Note  10.33.) 

(c)  System  parameters  (v.  n)  are  made  available  (with  guaranteed  authenticity)  for 
all  users. 

2.  Selection  of  per-user  parameters. 

(a)  Each  entity  A is  given  a unique  identity  I a,  from  which  (the  redundant  iden- 
tity) J a = JUa),  satisfying  1 < J a < n,  is  derived  using  a known  redun- 
dancy function  /.  (See  Note  10.35.  Assuming  that  factoring  n is  difficult  im- 
plies gcd  (JA,<j>)  = 1.) 

(b)  T gives  to  A the  secret  (accreditation  data)  sa  = ( Ja)  s mod  n. 

3.  Protocol  messages.  Each  of  t rounds  has  three  messages  as  follows  (often  t = 1). 

A — » B : I a-,  x = rv  mod  n (1) 

A <5—  B : e (where  1 < e < v)  (2) 

A — > B : y = r ■ sac  mod  n (3) 

4.  Protocol  actions.  A proves  its  identity  to  B by  t executions  of  the  following;  B ac- 
cepts the  identity  only  if  all  t executions  are  successful. 

(a)  A selects  a random  secret  integer  r (the  commitment),  1 < r < n — 1,  and 
computes  (the  witness)  x = rv  mod  n. 

(b)  A sends  to  B the  pair  of  integers  (I a,  x). 

(c)  B selects  and  sends  to  A a random  integer  e (the  challenge),  1 < e < v. 

(d)  A computes  and  sends  to  B (the  response)  y = r ■ sa€  mod  n. 

(e)  B receives  y,  constructs  Ja  from  I a using  / (see  above),  computes  z = Jab  ■ 

yv  mod  n,  and  accepts  A’s  proof  of  identity  if  both  z = x and  z f 0.  (The 

latter  precludes  an  adversary  succeeding  by  choosing  r = 0.) 


10.32  Example 

1-  (a) 


(GQ  identification  protocol  with  artificially  small  parameters  and  t = 1) 

The  authority  T selects  primes  p = 569,  q = 739,  and  computes  n = pq  = 
420491. 


(b)  T computes  (f>  = (p  — l)(q  — 1)  = 419184,  selects  v = 54955,  and  computes 
s = v~x  mod  = 233875. 

(c)  System  parameters  (54955, 420491)  are  made  available  for  all  users. 

2.  (a)  Suppose  that  A’s  redundant  identity  is  .J  \ = 34579. 

(b)  T gives  to  A the  accreditation  data  = (Ja)~s  mod  n = 403154. 

3.  See  Protocol  10.31  for  a summary  of  the  messages  exchanged. 

4.  (a)  A selects  r = 65446  and  computes  x = rv  mod  n = 89525. 

(b)  A sends  to  B the  pair  (I a,  89525). 

(c)  B sends  to  A the  random  challenge  e = 38980. 

(d)  A sends  y = r ■ sa6  mod  n = 83551  to  B. 

(e)  B computes  z = JAe-yv  mod  n = 89525  and  accepts  A’s  identity  since  z = x 

and  z^0.  □ 


10.33  Note  (security  of  GQ  identification  protocol) 

(i)  probability  of  forgery.  In  Protocol  10.31,  v determines  the  security  level  (cf.  Fiat- 
Shamir  where  v = 2 but  there  are  many  rounds);  some  values  such  as  v = 216+lmay 
offer  computational  advantages.  A fraudulent  claimant  can  defeat  the  protocol  with 
a 1 in  w chance  by  guessing  e correctly  a priori  (and  then  forming  x — Jak  ■ y"  as  the 
verifier  would).  The  recommended  bitlength  of  v thus  depends  on  the  environment 
under  which  attacks  could  be  mounted  (see  §10.5). 
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(ii)  security  assumption  required.  Extracting  uth  roots  modulo  the  composite  integer  n 
(i.e.,  solving  the  RSA  problem  - §3.3)  appears  necessary  to  defeat  the  protocol;  this  is 
no  harder  than  factoring  n (Fact  3.30),  and  appears  computationally  intractable  with- 
out knowing  the  factors  of  n. 

(iii)  soundness.  In  practice,  GQ  with  t = 1 and  a fc-bit  prime  v is  often  suggested.  For 
generalized  parameters  in.  v.  t),  the  probability  of  forgery  is  v 1 . If  v is  constant, 
then  technically  for  soundness,  t must  grow  asymptotically  faster  than  log  log  n.  (For 
soundness,  v~l  = 0[e~kt)  must  be  smaller  than  inverse-polynomial  in  logn;  only 
polynomial  security  is  provided  if  for  a constant  c,  © = 0((log  n)c).  See  also  Re- 
mark 10.34.) 

(iv)  zero-knowledge  property.  In  opposition  to  the  soundness  requirement,  for  GQ  to  be 
zero-knowledge  apparently  requires  tv  = 0((logn)c)  for  constant  c,  imposing  an 
upper  bound  on  t asymptotically:  for  v constant,  t must  be  no  larger  than  polynomial 
in  log  n. 

10.34  Remark  ( asymptotic  concepts  vs.  practical  protocols)  The  asymptotic  conditions  for 
soundness  specified  in  Note  10.33  have  little  meaning  in  practice,  e.g.,  because  big-O  nota- 
tion is  not  applicable  once  fixed  values  are  assigned  to  parameters.  Indeed,  zero-knowledge 
is  a theoretical  concept;  while  complexity-theoretic  definitions  offer  guidance  in  selecting 
practical  security  parameters,  their  significance  diminishes  when  parameters  are  fixed.  Re- 
garding Note  10.33,  if  t = 1 is  viewed  as  the  instantiation  of  a non-constant  parameter 
(e.g.,  the  iterated  logarithm  of  n),  then  t = 1 will  suffice  for  all  practical  purposes;  con- 
sider n = 1024,  t = [lg4  n\  = 1. 

10.35  Note  (redundancy  function  for  identity-based  GQ) 

(i)  The  protocol  as  given  is  an  identity-based  version  (cf.  Note  10.29),  where  A's  public 
key  is  reconstructed  from  identifier  I\  sent  in  message  (1).  Alternatively,  a certified 
public  key  may  be  used,  distributed  in  a certificate  as  per  Protocol  10.36. 

(ii)  One  example  of  the  redundancy  function  / is  the  redundancy  mapping  of  the  prepro- 
cessing stage  of  ISO/IEC  9796  (see  §11.3.5).  A second  example  is  a single  function 
value  of  / as  in  Note  10.29,  for  an  appropriate  value  i. 

(iii)  The  purpose  of  the  redundancy  is  to  preclude  an  adversary  computing  false  accredi- 
tation data  corresponding  to  a plausible  identity;  this  would  be  equivalent  to  forging 
a certificate  in  certificate-based  schemes. 


10.4.4  Schnorr  identification  protocol 

The  Schnorr  identification  protocol  is  an  alternative  to  the  Fiat-Shamir  and  GQ  protocols. 
Its  security  is  based  on  the  intractability  of  the  discrete  logarithm  problem.  The  design  al- 
lows pre-computation,  reducing  the  real-time  computation  for  the  claimant  to  one  multi- 
plication modulo  a prime  q\  it  is  thus  particularly  suitable  for  claimants  of  limited  com- 
putational ability.  A further  important  computational  efficiency  results  from  the  use  of  a 
subgroup  of  order  q of  the  multiplicative  group  of  integers  modulo  p,  where  q (p  — 1);  this 
also  reduces  the  required  number  of  transmitted  bits.  Finally,  the  protocol  was  designed  to 
require  only  three  passes,  and  a low  communications  bandwidth  (e.g.,  compared  to  Fiat- 
Shamir). 

The  basic  idea  is  that  A proves  knowledge  of  a secret  a (without  revealing  it)  in  a time- 
variant  manner  (depending  on  a challenge  e),  identifying  A through  the  association  of  a 
with  the  public  key  v via  A’s  authenticated  certificate. 
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10.36  Protocol  Schnorr  identification  protocol 

SUMMARY:  A proves  its  identity  to  B in  a 3-pass  protocol. 


1.  Selection  of  system  parameters. 

(a)  A suitable  prime  p is  selected  such  that  — 1 is  divisible  by  another  prime  q. 
(Discrete  logarithms  modulo  p must  be  computationally  infeasible  - see  §3.6; 
e.g.,  p « 21024,  q > 2160.) 

(b)  An  element  [3  is  chosen,  1 < (3  < p — 1,  having  multiplicative  order  q.  (For 
example,  for  a a generator  mod  p,  (3  = ate-1)/?  mod  p;  see  Note  4.81.) 

(c)  Each  party  obtains  an  authentic  copy  of  the  system  parameters  (p,  q,  / 3 ) and  the 
verification  function  (public  key)  of  the  trusted  party  T,  allowing  verification 
of  T’s  signatures  Sx(rn)  on  messages  m.  (St  involves  a suitable  known  hash 
function  prior  to  signing,  and  may  be  any  signature  mechanism.) 

(d)  A parameter  t,  (e.g.,  t,  > 40),  2*  < q , is  chosen  (defining  a security  level  2*). 

2.  Selection  of  per-user  parameters. 

(a)  Each  claimant  A is  given  a unique  identity  Ia- 

(b)  A chooses  a private  key  a,  0 < a < q — 1,  and  computes  v = f3~a  mod  p. 

(c)  A identifies  itself  by  conventional  means  (e.g.,  passport)  to  T,  transfers  v to  T 
with  integrity,  and  obtains  a certificate  cert  a = (I a,  v,  St{Ia,v))  from  T 
binding  1\  with  v. 

3.  Protocol  messages.  The  protocol  involves  three  messages. 

A — » B : cert  a,  x = (3r  mod  p (1) 

A B : e (where  1 < e < 2*  < q)  (2) 

A— > B : y = ae  + r mod  q (3) 

4.  Protocol  actions.  A identifies  itself  to  verifier  B as  follows. 

(a)  A chooses  a random  r (the  commitment),  1 <r  < q—  1,  computes  (the  witness) 
x = (3r  mod  p,  and  sends  (1)  to  B. 

(b)  B authenticates  A’s  public  key  v by  verifying  T’s  signature  on  cert  a,  then 
sends  to  A a (never  previously  used)  random  e (the  challenge),  1 < e <2t. 

(c)  A checks  1 < e < 2*  and  sends  B (the  response)  y = ae  + r mod  q. 

(d)  B computes  z = (3vve  mod  p,  and  accepts  A’s  identity  provided  z = x. 

10.37  Example  (Schnorr  identification  protocol  with  artificially  small  parameters) 

1 . (a)  The  prime  p = 48731  is  selected,  where  p — 1 is  divisible  by  the  prime  q = 443. 

(b)  A generator  mod  48731  is  a = 6;  j3  is  computed  as  a (p-A/i  mod  p = 11444. 

(c)  The  system  parameters  are  (48731, 443, 11444). 

(d)  The  parameter  t = 8 is  chosen. 

2.  (b)  A chooses  a private  key  a = 357  and  computes  v = (3~a  mod  p = 7355. 

3.  See  Protocol  10.36  for  a summary  of  the  messages  exchanged. 

4.  (a)  A chooses  r = 274  and  sends  x = {3r  mod  p = 37123  to  B. 

(b)  B sends  to  A the  random  challenge  e = 129. 

(c)  A sends  B the  number  y = ae  + r mod  q = 255. 

(d)  B computes  z = f3yve  mod  p = 37123  and  accept’s  A’s  identity  since  z = x. 

□ 
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10.38  Note  (security  of  Schnorr  identification  protocol) 

(i)  probability  of  forgery.  In  Protocol  10.36,  t must  be  sufficiently  large  to  make  the 
probability  2 ( of  correctly  guessing  the  challenge  e negligible,  t = 40,  q > 22t  = 
280  was  originally  suggested  in  the  case  that  a response  is  required  within  seconds 
(see  §10.5);  larger  q may  be  necessary  to  preclude  time-memory  trade-offs,  and  q > 
2160  is  recommended  to  preclude  other  off-line  discrete  log  attacks.  Correctly  guess- 
ing e allows  an  adversary  to  impersonate  A by  choosing  any  y,  sending  x — (3vve 
modp  to  B in  (1),  then  sending  y in  (3). 

(ii)  soundness.  It  can  be  shown  that  the  protocol  is  a proof  of  knowledge  of  a,  i.e.,  any 
party  completing  the  protocol  as  A must  be  capable  of  computing  a.  Informally,  the 
protocol  reveals  “no  useful  information”  about  a because  x is  a random  number,  and  y 
is  perturbed  by  the  random  number  r.  (However,  this  does  not  prove  that  adversarial 
discovery  of  a is  difficult.) 

(iii)  zero-knowledge  property.  The  protocol  is  not  zero-knowledge  for  large  e,  because 
through  interaction,  B obtains  the  solution  (x,  y.  e)  to  the  equation  x = /3vve  mod  p, 
which  B itself  might  not  be  able  to  compute  (e.g.,  if  e were  chosen  to  depend  on  x). 

10.39  Note  ( reducing  transmission  bandwidth)  The  number  of  bits  transmitted  in  the  protocol 
can  be  reduced  by  replacing  x in  message  (1)  by  t pre-specified  bits  of  x (e.g.,  the  least 
significant  t bits),  and  having  B compare  this  to  t corresponding  bits  of  z. 


10.4.5  Comparison:  Fiat-Shamir,  GQ,  and  Schnorr 

The  protocols  of  Feige-Fiat-Shamir,  Guillou-Quisquater,  and  Schnorr  all  provide  solutions 
to  the  identification  problem.  Each  has  relative  advantages  and  disadvantages  with  respect 
to  various  performance  criteria  and  for  specific  applications.  To  compare  the  protocols,  a 
typical  set  of  selected  parameters  must  be  chosen  for  each  providing  comparable  estimated 
security  levels.  The  protocols  may  then  be  compared  based  on  the  following  criteria: 

1.  communications : number  of  messages  exchanged,  and  total  bits  transferred; 

2.  computations : number  of  modular  multiplications  for  each  of  prover  and  verifier 
(noting  on-line  and  off-line  computations); 

3.  memory : storage  requirements  for  secret  keys  (and  signature  size,  in  the  case  of  sig- 
nature schemes); 

4.  security  guarantees : comparisons  should  consider  security  against  forgery  by  guess- 
ing (soundness),  possible  disclosure  of  secret  information  (zero-knowledge  prop- 
erty), and  status  regarding  provable  security;  and 

5.  trust  required  in  third  party:  variations  of  the  protocols  may  require  different  trust 
assumptions  in  the  trusted  party  involved. 

The  number  of  criteria  and  potential  parameter  choices  precludes  a comparison  which 
is  both  definitive  and  concise.  The  following  general  comments  may,  however,  be  made. 

1.  computational  efficiency.  Fiat-Shamir  requires  between  one  and  two  orders  of  mag- 
nitude fewer  full  modular  multiplications  (steps)  by  the  prover  than  an  RSA  private- 
key  operation  (cf.  §10.3.3).  When  kt  = 20  and  n is  512  bits,  Fiat-Shamir  uses  from 
about  11  to  about  30  steps  ( k — 20,  t — 1;  and  k = 1,  t = 20);  GQ  requires  about 
60  steps  (for  t = 1,  m = 20  = log2(u)),  or  somewhat  fewer  if  v has  low  Hamming 
weight;  and  full  exponentiation  in  unoptimized  RSA  takes  768  steps. 
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2.  off-line  computations.  Schnorr  identification  has  the  advantage  of  requiring  only  a 
single  on-line  modular  multiplication  by  the  claimant,  provided  exponentiation  may 
be  done  as  a precomputation.  (Such  a trade-off  of  on-line  for  off-line  computation  is 
possible  in  some  applications;  in  others,  the  total  computation  must  be  considered.  ) 
However,  significant  computation  is  required  by  the  verifier  compared  to  Fiat-Shamir 
and  GQ. 

3.  bandwidth  and  memory  for  secrets.  GQ  allows  the  simultaneous  reduction  of  both 
memory  (parameter  k)  and  transmission  bandwidth  (parameter  t)  with  k = t = 1, 
by  introducing  the  public  exponent  v > 2 with  the  intention  that  the  probability  of 
successful  cheating  becomes  v~kt ; this  simultaneous  reduction  is  not  possible  in  Fiat- 
Shamir,  which  requires  k user  secrets  and  / iterations  for  an  estimated  security  (prob- 
ability of  cheating)  of  2 kt.  Regarding  other  tradeoffs,  see  Note  10.28. 

4.  security  assumptions.  The  protocols  require  the  assumptions  that  the  following  un- 
derlying problems  are  intractable,  for  a composite  (RSA)  integer  n:  Fiat-Shamir  - 
extracting  square  roots  mod  n;  GQ  - extracting  vth  roots  mod  n (i.e.,  the  RSA  prob- 
lem); Schnorr  identification  - computing  discrete  logs  modulo  a prime  p. 


10.5  Attacks  on  identification  protocols 

The  methods  an  adversary  may  employ  in  an  attempt  to  defeat  identification  protocols  are  a 
subset  of  those  discussed  in  Chapter  12  for  authenticated  key  establishment,  and  the  types 
of  adversaries  may  be  similarly  classified  (e.g.,  passive  vs.  active,  insider  vs.  outsider);  for 
a discussion  of  attacks  on  simple  password  schemes,  see  §10.2.2.  Identification  is,  how- 
ever, less  complex  than  authenticated  key  establishment,  as  there  is  no  issue  of  an  adver- 
sary learning  a previous  session  key,  or  forcing  an  old  key  to  be  reused.  For  conciseness, 
the  following  definitions  are  made: 

1.  impersonation:  a deception  whereby  one  entity  purports  to  be  another. 

2.  replay  attack:  an  impersonation  or  other  deception  involving  use  of  information  from 
a single  previous  protocol  execution,  on  the  same  or  a different  verifier.  For  stored 
files,  the  analogue  of  a replay  attack  is  a restore  attack,  whereby  a file  is  replaced  by 
an  earlier  version. 

3.  interleaving  attack:  an  impersonation  or  other  deception  involving  selective  combi- 
nation of  information  from  one  or  more  previous  or  simultaneously  ongoing  protocol 
executions  ( parallel  sessions),  including  possible  origination  of  one  or  more  protocol 
executions  by  an  adversary  itself. 

4.  reflection  attack:  an  interleaving  attack  involving  sending  information  from  an  on- 
going protocol  execution  back  to  the  originator  of  such  information. 

5.  forced  delay:  a forced  delay  occurs  when  an  adversary  intercepts  a message  (typically 
containing  a sequence  number),  and  relays  it  at  some  later  point  in  time.  Note  the 
delayed  message  is  not  a replay. 

6.  chosen-text  attack:  an  attack  on  a challenge -response  protocol  wherein  an  adver- 
sary strategically  chooses  challenges  in  an  attempt  to  extract  information  about  the 
claimant’s  long-term  key. 

Chosen-text  attacks  are  sometimes  referred  to  as  using  the  claimant  as  an  oracle,  i.e., 
to  obtain  information  not  computable  from  knowledge  of  a claimant’s  public  key 
alone.  The  attack  may  involve  chosen-plaintext  if  the  claimant  is  required  to  sign. 
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encrypt,  or  MAC  the  challenge,  or  chosen-ciphertext  if  the  requirement  is  to  decrypt 
a challenge. 

Potential  threats  to  identification  protocols  include  impersonation  by  any  of  the  follow- 
ing attacks:  replay,  interleaving,  reflection,  or  forced  delay.  Impersonation  is  also  trivial  if 
an  adversary  is  able  to  discover  an  entity’s  long-term  (secret  or  private)  keying  material,  for 
example,  using  a chosen-text  attack.  This  may  be  possible  in  protocols  which  are  not  zero- 
knowledge,  because  the  claimant  uses  its  private  key  to  compute  its  response,  and  thus  a 
response  may  reveal  partial  information.  In  the  case  of  an  active  adversary,  attacks  may  in- 
volve the  adversary  itself  initiating  one  or  more  new  protocol  runs,  and  creating,  injecting, 
or  otherwise  altering  new  or  previous  messages.  Table  10.3  summarizes  counter-measures 
for  these  attacks. 


Type  of  attack 

Principles  to  avoid  attack 

replay 

use  of  challenge-response  techniques;  use  of  nonces;  embed  tar- 
get identity  in  response 

interleaving 

linking  together  all  messages  from  a protocol  run  (e.g.,  using 
chained  nonces) 

reflection 

embed  identifier  of  target  party  in  challenge  responses;  construct 
protocols  with  each  message  of  different  form  (avoid  message 
symmetries);  use  of  uni-directional  keys 

chosen-text 

use  of  zero-knowledge  techniques;  embed  in  each  challenge  re- 
sponse a self-chosen  random  number  ( confounder ) 

forced  delay 

combined  use  of  random  numbers  with  short  response  time-outs; 
timestamps  plus  appropriate  additional  techniques 

Table  10.3:  Identification  protocol  attacks  and  counter-measures. 


1 0.40  Remark  (use  of  keys  for  multiple  purposes)  Caution  is  advised  if  any  cryptographic  key  is 
used  for  more  than  one  purpose.  For  example,  using  an  RSA  key  for  both  entity  authenti- 
cation and  signatures  may  compromise  security  by  allowing  a chosen-text  attack.  Suppose 
authentication  here  consists  of  B challenging  A with  a random  number  rjj  RS  A-encrypted 
under  A’s  public  key,  and  A is  required  to  respond  with  the  decrypted  random  number.  If 
B challenges  A with  ru  = h(x),  A’s  response  to  this  authentication  request  may  (unwit- 
tingly) provide  to  B its  RSA  signature  on  the  hash  value  of  the  (unknown  to  A)  message  x. 
See  also  Example  9.88,  where  a DES  key  used  for  both  CBC  encryption  and  CBC-MAC 
leads  to  a security  flaw;  and  Remark  13.32. 

10.41  Remark  ( adversary  acting  “as  a wire”)  In  any  identification  protocol  between  A and  B. 
an  adversary  C may  step  into  the  communications  path  and  simply  relay  (without  changing) 
the  messages  between  legitimates  parties  A and  B.  itself  acting  as  a part  of  the  communi- 
cations link.  Typically  in  practice,  this  is  not  considered  a true  “attack”,  in  the  sense  that  it 
does  not  alter  the  aliveness  assurance  delivered  by  the  protocol;  however,  in  some  special 
applications,  this  may  be  a concern  (see  Remark  10.42). 

10.42  Remark  ( grandmaster  postal-chess  problem)  Identification  protocols  do  not  provide  as- 
surances about  the  physical  location  of  the  authenticated  party.  Therefore,  Remark  10.41 
notwithstanding,  a concern  may  arise  in  the  special  case  that  the  following  is  possible:  an 
adversary  C attempts  to  impersonate  B,  is  challenged  (to  prove  it  is  B)  by  A.  and  is  able  to 
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relay  (in  real  time,  without  detection  or  noticeable  delay,  and  pretending  to  be  A)  the  chal- 
lenge on  to  the  real  B , get  a proper  response  from  B,  and  pass  this  response  along  back  to 
A.  In  this  case,  additional  measures  are  necessary  to  prevent  a challenged  entity  from  elic- 
iting aid  in  computing  responses.  This  is  related  to  the  so-called  grandmaster  postal-chess 
problem,  whereby  an  amateur’s  chess  rating  may  unfairly  be  improved  by  engaging  in  two 
simultaneous  chess  games  with  distinct  grandmasters,  playing  black  in  one  game  and  white 
in  the  second,  and  using  the  grandmaster’s  moves  from  each  game  in  the  other.  Either  two 
draws,  or  a win  and  a loss,  are  guaranteed,  both  of  which  will  improve  the  amateur’s  rating. 

For  further  discussion  of  protocol  attacks  including  specific  examples  of  flawed  entity 
authentication  protocols,  see  §12.9. 

(i)  Maintaining  authenticity 

Identification  protocols  provide  assurances  corroborating  the  identity  of  an  entity  only  at 
a given  instant  in  time.  If  the  continuity  of  such  an  assurance  is  required,  additional  tech- 
niques are  necessary  to  counteract  active  adversaries.  For  example,  if  identification  is  car- 
ried out  at  the  beginning  of  a communications  session  to  grant  communications  permis- 
sions, a potential  threat  is  an  adversary  who  “cuts  in”  on  the  communications  line  immedi- 
ately after  the  successful  identification  of  the  legitimate  party.  Approaches  to  prevent  this 
include: 

1.  performing  re-authentication  periodically,  or  for  each  discrete  resource  requested 
(e.g.,  each  file  access).  A remaining  threat  here  is  an  adversary  who  “steps  out”  ev- 
ery time  re-authentication  is  performed,  allowing  the  legitimate  party  to  perform  this 
task,  before  re-entering. 

2.  tying  the  identification  process  to  an  ongoing  integrity  service.  In  this  case,  the  iden- 
tification process  should  be  integrated  with  a key  establishment  mechanism,  such  that 
a by-product  of  successful  identification  is  a session  key  appropriate  for  use  in  a sub- 
sequent ongoing  integrity  mechanism. 

(ii)  Security  level  required  for  on-line  vs.  off-line  attacks 

The  security  level  required  for  identification  protocols  depends  on  the  environment  and  the 
specific  application  at  hand.  The  probability  of  success  of  “guessing  attacks”  should  be 
considered,  and  distinguished  from  the  amount  of  computation  required  to  mount  on-line 
or  off-line  attacks  (using  the  best  techniques  known).  Some  illustrative  notes  follow  (see 
also  Note  10.28). 

1 . Local  attacks.  Selecting  security  parameters  which  limit  the  probability  of  successful 
impersonation  of  a guessing  attack  (an  adversary  simply  guesses  a legitimate  party’s 
secret)  to  a 1 in  220  chance  (20  bits  of  security)  may  suffice  if,  for  each  attempted 
impersonation,  a local  appearance  is  required  by  the  would-be  impersonator  and  there 
is  a penalty  for  failed  attempts.  Depending  on  the  potential  loss  resulting  relative  to 
the  penalty,  10  to  30  bits  or  more  of  security  may  be  required. 

2.  Remote  attacks.  A higher  level  of  security  is  required  in  environments  where  unlim- 
ited identification  attempts,  each  involving  minimal  computational  effort,  are  pos- 
sible by  remote  electronic  communications,  by  an  anonymous  claimant  interacting 
with  an  on-line  system,  with  no  penalties  for  failed  attempts.  20  to  40  bits  of  security 
or  more  may  be  called  for  here,  unless  the  number  of  interactions  may  be  somehow 
limited. 

3.  Off-line  or  non-interactive  attacks.  Selecting  security  parameters  such  that  an  attack 
requires  240  computations  in  real-time  (during  a protocol  execution)  may  be  accept- 
able, but  a bound  of  260  to  280  computations  (the  latter  should  be  adequate  in  all 

Handbook  of  Applied  Cryptography  by  A.  Menezes,  P.  van  Oorschot  and  S.  Vanstone. 


420 


Ch.  1 0 Identification  and  Entity  Authentication 


cases)  may  be  called  for  if  the  computations  can  be  carried  out  off-line,  and  the  at- 
tack is  verifiable  (i.e.,  the  adversary  can  confirm,  before  interacting  with  the  on-line 
system,  that  his  probability  of  successful  impersonation  is  near  1;  or  can  recover  a 
long-term  secret  by  off-line  computations  subsequent  to  an  interaction). 


10.6  Notes  and  further  references 

§10.1 

Davies  and  Price  [308]  and  Ford  [414]  provide  extensive  discussion  of  authentication  and 
identification;  see  also  the  former  for  biometric  techniques,  as  well  as  Everett  [380].  The 
comprehensive  survey  on  login  protocols  by  de  Waleffe  and  Quisquater  [319]  is  highly  rec- 
ommended. Crepeau  and  Goutier  provide  a lucid  concise  summary  of  user  identification 
techniques  with  Brassard  [192],  For  standardized  entity  authentication  mechanisms,  see 
ISO/IEC  9798  [598,  599,  600,  601,  602], 

§10.2 

See  the  §9.2  notes  on  page  377  for  historical  discussion  of  using  a one-way  function  (one- 
way cipher)  for  “encrypted”  password  files.  Morris  and  Thompson  [907]  introduce  the  no- 
tion of  password  salting  in  their  1979  report  on  UNIX  passwords;  in  one  study  of  3289  user 
passwords  unconstrained  by  password  rules,  86%  fell  within  an  easily-searched  subset  of 
passwords.  Feldmeier  and  Karn  [391]  give  an  update  10  years  later,  indicating  30%  of  pass- 
words they  encountered  fell  to  their  attack  using  a precomputed  encrypted  dictionary,  sorted 
on  tapes  by  salt  values.  See  also  Klein  [680]  and  Lomas  et  al.  [771],  Password  salting  is 
related  to  randomized  encryption;  the  idea  of  padding  plaintext  with  random  bits  before  en- 
cryption may  also  be  used  to  prevent  forward  search  attacks  on  public-key  encryption  with 
small  plaintext  spaces.  Password  rules  and  procedures  have  been  published  by  the  U.S.  De- 
partments of  Commerce  [399]  and  Defense  [334], 

Methods  for  computing  password-derived  keys  (§10.2.4)  are  specified  in  the  Kerberos  Au- 
thentication Service  [1041]  and  PKCS  #5  [1072],  A concern  related  to  password-derived 
keys  is  that  known  plaintext  allows  password-guessing  attacks;  protocols  specifically  de- 
signed to  prevent  such  attacks  are  mentioned  in  Chapter  12  notes  on  §12.6.  The  idea 
of  chaining  one-time  passwords  by  a one-way  function  (Protocol  10.6)  is  due  to  Lam- 
port [739];  for  related  practical  applications,  see  RFC  1938  [1047].  Davies  and  Price 
[308,  p.  176]  note  a questionnaire-based  identification  technique  related  to  fixed  challenge- 
response  tables,  wherein  the  user  is  challenged  by  a random  subset  of  previously  answered 
questions. 

§10.3 

Needham  and  Schroeder  [923]  stimulated  much  early  work  in  the  area  of  authentication  pro- 
tocols in  the  late  1970s,  and  Needham  was  again  involved  with  Burrows  and  Abadi  [227]  in 
the  BAN  logic  work  which  stimulated  considerable  interest  in  protocol  analysis  beginning 
in  the  late  1980s;  see  Chapter  12  notes  for  further  discussion. 

Gong  [501]  provides  an  overview  of  both  time  variant  parameters  and  message  replay; 
see  also  Neuman  and  Stubblebine  [925],  and  the  annexes  of  parts  of  ISO/IEC  9798  (e.g., 
[600]).  For  security  arguments  against  the  use  of  timestamps  and  a discussion  of  implemen- 
tation difficulties,  see  Bellovin  and  Merritt  [103];  Gaarder  and  Snekkenes  [433];  Diffie,  van 
Oorschot,  and  Wiener  [348];  and  Gong  [500],  who  considers  postdated  timestamps.  See 
also  §12.3  notes.  Lam  and  Beth  [734]  note  that  timestamp-based  protocols  are  appropriate 
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for  connectionless  interactions  whereas  challenge-response  suits  connection-oriented  com- 
munications, and  suggest  challenge-response  techniques  be  used  to  securely  synchronize 
timeclocks  with  applications  themselves  using  timestamp-based  authentication. 

ISO/IEC  9798  [598]  parts  2 through  5 specify  entity  authentication  protocols  respectively 
based  on  symmetric  encryption  [599],  digital  signatures  [600],  keyed  one-way  functions 
[601],  and  zero-knowledge  techniques  [602];  a subset  of  these  are  presented  in  this  chapter. 
FIPS  196  [407]  is  a subset  of  9798-3  containing  the  unilateral  and  mutual  authentication 
protocols  involving  challenge-response  with  random  numbers. 

Several  parts  of  9798  were  influenced  by  the  SKID2  and  SKID3  ( Secret  Key  IDentification) 
protocols  from  the  RACE/RIPE  project  [178],  which  leave  the  keyed  hash  function  unspec- 
ified but  recommend  RIPE-MAC  with  64-bit  random-number  challenges.  Diffie  [342,  345] 
notes  that  two-pass  challenge-response  identification  based  on  encryption  and  random  chal- 
lenges has  been  used  since  the  1950s  in  military  Identification  Friend  or  Foe  (IFF)  systems 
to  distinguish  friendly  from  hostile  aircraft.  Mao  and  Boyd  [781]  discuss  the  danger  of  im- 
properly using  encryption  in  authentication  protocols,  specifically  the  CBC  mode  without 
an  integrity  mechanism  (cf.  Remark  10.16).  Stubblebine  and  Gligor  [1179]  discuss  attacks 
involving  this  same  mode;  see  also  the  much  earlier  paper  by  Akl  [20]. 

Davies  and  Price  [308]  give  a concise  discussion  of  password  generators.  The  identification 
technique  in  §10.3.3(i)  based  on  public-key  decryption  and  witness  is  derived  from  a Dan- 
ish contribution  to  the  4th  Working  Draft  of  ISO/IEC  9798-5,  specifying  a protocol  called 
COMSET  and  motivated  in  part  by  Brandt  et  al.  [188],  and  related  to  ideas  noted  earlier  by 
Blum  et  al.  [163], 

§10.4 

A refreshingly  non-mathematical  introduction  to  zero-knowledge  proofs  is  provided  by 
Quisquater,  Guillou,  and  Berson  [1020],  who  document  the  secret  of  Ali  Baba’s  legendary 
cave,  and  its  rediscovery  by  Mick  Ali.  Mitropoulos  and  Meijer  [883]  give  an  exception- 
ally readable  and  comprehensive  survey  (circa  1990)  of  interactive  proofs  and  zero  knowl- 
edge, with  a focus  on  identification.  Other  overviews  include  Johnson  [641];  Stinson  [1178, 
Ch.13];  and  Brassard,  Chaum,  and  Crepeau  [193]  (or  [192])  for  a discussion  of  minimum 
disclosure  proofs,  based  on  hit  commitment  and  the  primitive  of  a blob.  Brassard  and 
Crepeau  [195]  provide  a user-friendly  discussion  of  various  definitions  of  zero-knowledge, 
while  Goldreich  and  Oren  [475]  examine  properties  and  relationships  between  various  def- 
initions of  ZK  proof  systems. 

Rabin  [1022]  employed  the  idea  of  cut-and-choose  protocols  for  cryptographic  applications 
as  early  as  1978.  While  Babai  (with  Moran)  [60,  61]  independently  developed  a theory  of 
randomized  interactive  proofs  known  as  Arthur-Merlin  games  in  an  attempt  to  “formalize 
the  notion  of  efficient  provability  by  overwhelming  statistical  evidence”,  interactive  proof 
systems  and  the  notion  of  zero-knowledge  (ZK)  proofs  were  formalized  in  1985  by  Gold- 
wasser,  Micali,  and  Rackoff  [481]  in  the  context  of  an  interactive  proof  of  membership  of 
a string  x in  a language  C\  they  showed  that  the  languages  of  quadratic-residues  and  of 
quadratic  non-residues  each  have  ZK  interactive  proof  (ZKIP)  systems  revealing  only  a 
single  bit  of  knowledge,  namely,  that  ie£.  Goldreich,  Micali,  and  Wigderson  [473,  474] 
prove  likewise  for  graph  non-isomorphism  ( known  not  to  be  in  NP)  and  graph  isomorphism, 
and  that  assuming  the  existence  of  secure  encryption  schemes,  every  language  in  NP  has  a 
ZKIP;  see  also  Chaum  [244],  and  Brassard  and  Crepeau  [194], 

Motivated  by  cryptographic  applications  and  identification  in  particular,  Feige,  Fiat,  and 
Shamir  [383]  adapted  the  concepts  of  interactive  proofs  of  membership  to  interactive  proofs 
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of  knowledge,  including  reformulated  definitions  for  completeness,  soundness,  and  zero- 
knowledge;  while  proofs  of  membership  reveal  one  bit  of  set  membership  information, 
proofs  of  knowledge  reveal  only  one  bit  about  the  prover’s  state  of  knowledge.  The  defini- 
tions given  in  §10.4.1  are  based  on  these.  These  authors  refine  the  original  scheme  of  Fiat 
and  Shamir  [395]  to  yield  that  of  Protocol  10.26;  both  may  be  converted  to  identity-based 
schemes  (Note  10.29)  in  the  sense  of  Shamir  [1115].  The  Fiat-Shamir  scheme  is  related 
to  (but  more  efficient  than)  an  earlier  protocol  for  proving  quadratic  residuosity  (presented 
at  Eurocrypt’84,  but  unpublished)  by  Fischer,  Micali,  and  Rackoff  [412].  The  Fiat-Shamir 
protocol  as  per  Protocol  10.24  includes  an  improvement  noted  by  Desmedt  et  al.  [340]  to 
avoid  inverses  in  the  derivation  of  user  secrets;  this  optimization  may  also  be  made  to  Pro- 
tocol 10.26. 

Related  to  definitions  in  §10.4.1,  Bellare  and  Goldreich  [87]  noted  that  Goldwasser,  Mi- 
cali, and  Rackoff  [48 1 ] did  not  formally  propose  a definition  for  a proof  of  knowledge,  and 
suggested  that  the  formal  definitions  of  Feige,  Fiat,  and  Shamir  [383]  and  Tompa  and  Woll 
[1194]  were  unsatisfactory  for  some  applications.  To  address  these  issues  they  proposed 
a new  definition,  having  some  common  aspects  with  that  of  Feige  and  Shamir  [384],  but 
offering  additional  advantages. 

Micali  and  Shamir  [868]  provide  preliminary  notes  on  reducing  computation  in  the  Fiat- 
Shamir  protocol  by  choosing  the  public  keys  u*,  1 < i < k to  be  the  first  k prime  numbers; 
each  user  then  has  an  independent  modulus  n.  A modification  of  Fiat-Shamir  identifica- 
tion by  Ong  and  Schnorr  [957]  decreases  computational  complexity,  signature  size,  and  the 
number  of  communications  required,  condensing  t Fiat-Shamir  iterations  into  one  iteration 
while  leaving  each  user  with  k private  keys  (cf.  the  k = 1 extension  below);  for  computa- 
tional efficiency,  they  suggest  using  as  secret  keys  (not  too)  small  integers. 

The  idea  of  generalizing  Fiat-Shamir  identification  in  other  ways,  including  “replacing 
square  roots  by  cubic  or  higher  roots”,  was  suggested  in  the  original  paper;  using  higher 
roots  allows  users  to  reduce  their  number  of  private  keys  k,  including  to  the  limiting  case 
k = 1.  Guillou  and  Quisquater  [524]  proposed  a specific  formulation  of  this  idea  of  “using 
deep  coin  tosses”  as  the  GQ  scheme  (Protocol  10.31);  apparently  independently,  Ohta  and 
Okamoto  [945,  944]  proposed  a similar  formulation,  including  security  analysis. 

The  Ohta-Okamoto  (OO)  version  of  this  extended  Fiat-Shamir  scheme  differs  from  the  GQ 
version  (Protocol  10.31)  as  follows;  (1)  in  OO,  rather  than  T computing  sa  from  identity 
I A,  A chooses  its  own  secret  £ Zn  and  publishes  I a = sav  mod  n;  and  (2)  the  verifi- 
cation relation  x = ,J a 6 ■ y"  (mod  n)  becomes  yv  = x ■ I \ ' • OO  is  more  general  in  that,  as 
originally  proposed,  it  avoids  the  GQ  (RSA)  constraint  that  gcd(u,  <j>(n))  — 1.  Subsequent 
analysis  by  Burmester  and  Desmedt  [221]  suggests  that  additional  care  may  be  required 
when  v is  not  prime.  While  the  OO  version  precludes  an  identity-based  variation,  a further 
subsequent  version  of  extended  Fiat-Shamir  (GQ  variation)  by  Okamoto  [949]  (“Scheme 
3”  of  5 protocols  therein)  is  provably  as  secure  as  factoring,  only  slightly  less  efficient,  and 
is  amenable  to  an  identity-based  variation. 

The  zero-knowledge  interactive  protocols  of  Chaum  et  al.  [248, 249]  for  proving  possession 
of  discrete  logarithms,  provided  a basis  for  Protocol  10.36  which  is  due  to  Schnorr  [1097, 
1098],  Schnorr  also  proposed  a preprocessing  scheme  to  reduce  real-time  computation,  but 
see  de  Rooij  [3 14]  regarding  its  security.  The  Schnorr  identification  and  signature  schemes 
must  not  both  be  used  with  the  same  parameters  f3,p  [1098]  (cf.  Remark  10.40).  Schnorr’s 
protocol  is  related  to  the  log-based  identification  scheme  of  Beth  [123]  also  proven  to  be 
zero-knowledge.  Burmester  et  al.  [223]  analyze  (cf.  Note  10.33)  a generalized  identification 
protocol  encompassing  all  the  well-known  variations  related  to  Fiat-Shamir  and  including 
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those  of  both  Chaum  et  al.  and  Beth  noted  above.  Van  de  Graaf  and  Peralta  [1200]  give  a 
ZK  interactive  protocol  for  proving  that  a Blum  integer  is  a Blum  integer. 

Brickell  and  McCurley  [207]  propose  a modification  of  Schnorr's  identification  scheme,  in 
which  q is  kept  secret  and  exponent  computations  are  reduced  modulo  p — 1 rather  than  q\ 
it  has  provable  security  if  factoring  _p  — 1 is  difficult,  and  moreover  security  equivalent  to 
that  of  Schnorr’s  scheme  otherwise;  a drawback  is  that  almost  4 times  as  much  computa- 
tion is  required  by  the  claimant.  Another  variant  of  Schnorr’s  scheme  by  Girault  [458, 46 1 ] 
was  the  first  identity-based  identification  scheme  based  on  discrete  logs;  it  uses  a composite 
modulus,  and  features  the  user  choosing  its  own  secret  key,  which  remains  unknown  to  the 
trusted  party  (cf.  implicitly-certified  public  keys,  § 12.6.2).  A further  variation  of  Schnorr’s 
identification  protocol  by  Okamoto  [949]  (“Scheme  1”)  uses  two  elements  (3i  and  3->,  of  or- 
der q,  and  is  provably  secure,  assuming  the  computational  infeasibility  of  computing  the  Zp 
discrete  logarithm  log^  /?2  of  (32  relative  to  /3i ; it  does,  however,  involve  some  additional 
computation. 

Aside  from  the  above  protocols  based  on  the  computational  intractability  of  the  standard 
number-theoretic  problems  (factoring  and  discrete  logarithms),  a number  of  very  efficient 
identification  protocols  have  more  recently  been  proposed  based  on  NP-hard  problems. 
Shamir  [1116]  proposed  a zero-knowledge  identification  protocol  based  on  the  NP-hard 
permuted  kernel  problem:  given  an  m x n matrix  A over  Zj>,  p prime  (and  relatively 
small,  e.g.,  p = 251),  and  an  n-vector  V,  find  a permutation  n on  {1, . . . , n}  such  that 
Vw  G ker(A),  where  ker(A)  is  the  kernel  of  A consisting  of  all  ?r-vectors  W such  that 
AW  = [0  ...  0]  mod  p.  Patarin  and  Chauvaud  [966]  discuss  attacks  on  the  permuted  ker- 
nel problem  which  are  feasible  for  the  smallest  of  parameter  choices  originally  suggested, 
while  earlier  less  efficient  attacks  are  presented  by  Baritaudet  al.  [73]  and  Georgiades  [447]. 
Stern  [1176]  proposed  a practical  zero-knowledge  identification  scheme  based  on  the  NP- 
hard  syndrome  decoding  problem,  following  an  earlier  less  practical  scheme  of  Stern  [ 1174] 
based  on  intractable  problems  in  coding  theory.  Stern  [1175]  proposed  another  practi- 
cal identification  scheme  based  on  an  NP-hard  combinatorial  constrained  linear  equations 
problem,  offering  a very  short  key  length,  which  is  of  particular  interest  in  specific  applica- 
tions. Pointcheval  [983]  proposed  another  such  scheme  based  on  the  NP-hard  perceptrons 
problem : given  an  to  x n matrix  Al  with  entries  ±1,  find  an  n-vector  y with  entries  ±1 
such  that  Aly  > 0. 

Goldreich  and  Krawczyk  [469]  pursue  the  fact  that  the  original  definition  of  ZK  of  Gold- 
wasser,  Micali,  and  Rackoff  is  not  closed  under  sequential  composition  ( this  was  noted  ear- 
lier by  D.  Simon),  establishing  the  importance  of  the  stronger  definitions  of  ZK  formulated 
subsequently  (e.g.,  auxiliary-input  zero-knowledge  - see  Goldreich  and  Oren  [475]),  for 
which  closure  under  sequential  composition  has  been  proven.  They  prove  that  even  these 
strong  formulations  of  ZK  are  not,  however,  closed  under  parallel  composition  (thus  moti- 
vating the  definition  of  weaker  notions  of  zero-knowledge),  and  that  3-pass  interactive  ZK 
proofs  of  membership  that  are  black-box  simulation  ZK  exist  only  for  languages  in  BPP 
( Definition  2.77);  while  the  definition  of  “black-box  simulation  ZK”  is  more  restrictive  than 
the  original  definition  of  ZK,  all  known  ZK  protocols  are  ZK  by  this  definition  also.  Conse- 
quently, protocols  that  are  (formally)  ZK  are  less  practical  than  their  corresponding  3-pass 
parallel  versions. 

As  a replacement  for  the  security  requirement  of  zero  knowledge  in  many  protocols,  Feige 
and  Shamir  [384]  proposed  witness  indistinguishability  and  the  related  notion  of  witness 
hiding  protocols.  Unlike  zero  knowledge,  witness  indistinguishability  is  preserved  under 
arbitrary  composition  of  protocols. 
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Methods  have  been  proposed  to  reduce  the  communication  complexity  of  essentially  all 
customized  identification  protocols,  including  the  use  of  hash  values  in  the  first  message  (cf. 
Note  10.29;  Note  10.39).  Girault  and  Stern  [462]  examine  the  security  implications  of  the 
length  of  such  hash  values,  note  that  collision-resistance  of  the  hash  function  suffices  for  the 
typically  claimed  security  levels,  and  examine  further  optimizations  of  the  communication 
complexity  of  such  protocols,  including  use  of  r-collision  resistant  hash  functions. 

Blum,  Feldman,  and  Micali  [163]  introduced  the  idea  of  non-interactive  (or  more  clearly: 
mono-directional ) ZK  proofs,  separating  the  notions  of  interactive  proof  systems  and  zero- 
knowledge  protocols;  here  the  prover  and  verifier  share  a random  string,  and  communica- 
tion is  restricted  to  one-way  (or  the  prover  may  simply  publish  a proof,  for  verification  at 
some  future  time).  De  Santis,  Micali,  and  Persiano  [317]  improve  these  results  employing  a 
weaker  complexity  assumption;  Blum  et  al.  [162]  provide  a summary  and  further  improve- 
ments. While  the  technique  of  Remark  10.30,  due  to  Fiat  and  Shamir  [395],  allows  a zero- 
knowledge  identification  scheme  to  be  converted  to  a signature  scheme,  the  latter  cannot  be 
a sound  zero-knowledge  signature  scheme  because  the  very  simulatability  of  the  identifica- 
tion which  establishes  the  ZK  property  would  allow  signature  forgery  (e.g.,  see  Okamoto 
[949]). 

A further  flavor  of  zero-knowledge  (cf.  Definition  10.22)  is  statistical  (or  almost  perfect) 
zero-knowledge;  here  the  probability  distributions  of  the  transcripts  must  be  statistically 
indistinguishable  (indistinguishable  by  an  examiner  with  unlimited  computing  power  but 
given  only  polynomially  many  samples).  Pursuing  other  characterizations,  interactive  pro- 
tocols in  which  the  assurance  a verifier  obtains  is  based  on  some  unproven  assumption  may 
be  distinguished  as  arguments  (see  Brassard  and  Crepeau  [195]),  with  proofs  then  required 
to  be  free  of  any  unproven  assumptions,  although  possibly  probabilistic. 

For  performance  comparisons  and  tradeoffs  for  the  Fiat-Shamir,  Guillou-Quisquater,  and 
Schnorr  schemes,  see  Fiat  and  Shamir  [395],  Schnorr  [1098],  Okamoto  [949],  and  Lim  and 
Lee  [768],  among  others.  For  an  overview  of  chipcard  technology  and  the  use  thereof  for 
identification,  see  Guillou,  Ugon,  and  Quisquater  [527];  an  earlier  paper  on  chipcards  is  by 
Guillou  and  Ugon  [526].  Knobloch  [681]  describes  a preliminary  chipcard  implementation 
of  the  Fiat-Shamir  protocol. 

Bauspiess  and  Knobloch  [78]  discuss  issues  related  to  Remark  10.41,  including  taking  over 
a communications  line  after  entity  authentication  has  completed.  Bengio  et  al.  [113]  discuss 
implementation  issues  related  to  identification  schemes  such  as  the  Fiat-Shamir  protocol, 
including  Remark  10.42.  Classes  of  replay  attacks  are  discussed  in  several  papers,  e.g., 
see  Syverson  [1182]  and  the  ISO/IEC  10181-2  authentication  framework  [610].  For  further 
references  on  the  analysis  of  entity  authentication  protocols  and  attacks,  see  the  § 12.9  notes. 
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11.1  Introduction 

This  chapter  considers  techniques  designed  to  provide  the  digital  counterpart  to  a handwrit- 
ten signature.  A digital  signature  of  a message  is  a number  dependent  on  some  secret  known 
only  to  the  signer,  and,  additionally,  on  the  content  of  the  message  being  signed.  Signatures 
must  be  verifiable;  if  a dispute  arises  as  to  whether  a party  signed  a document  (caused  by  ei- 
ther a lying  signer  trying  to  repudiate  a signature  it  did  create,  or  a fraudulent  claimant),  an 
unbiased  third  party  should  be  able  to  resolve  the  matter  equitably,  without  requiring  access 
to  the  signer’s  secret  information  (private  key). 

Digital  signatures  have  many  applications  in  information  security,  including  authenti- 
cation, data  integrity,  and  non-repudiation.  One  of  the  most  significant  applications  of  dig- 
ital signatures  is  the  certification  of  public  keys  in  large  networks.  Certification  is  a means 
for  a trusted  third  party  (TTP)  to  bind  the  identity  of  a user  to  a public  key,  so  that  at  some 
later  time,  other  entities  can  authenticate  a public  key  without  assistance  from  a trusted  third 
party. 

The  concept  and  utility  of  a digital  signature  was  recognized  several  years  before  any 
practical  realization  was  available.  The  first  method  discovered  was  the  RSA  signature  sch- 
eme, which  remains  today  one  of  the  most  practical  and  versatile  techniques  available.  Sub- 
sequent research  has  resulted  in  many  alternative  digital  signature  techniques.  Some  offer 
significant  advantages  in  terms  of  functionality  and  implementation.  This  chapter  is  an  ac- 
count of  many  of  the  results  obtained  to  date,  with  emphasis  placed  on  those  developments 
which  are  practical. 
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Chapter  outline 

§11.2  provides  terminology  used  throughout  the  chapter,  and  describes  a framework  for  dig- 
ital signatures  that  permits  a useful  classification  of  the  various  schemes.  It  is  more  abstract 
than  succeeding  sections.  §11.3  provides  an  indepth  discussion  of  the  RSA  signature  sch- 
eme, as  well  as  closely  related  techniques.  Standards  which  have  been  adopted  to  imple- 
ment RSA  and  related  signature  schemes  are  also  considered  here.  § 1 1 .4  looks  at  meth- 
ods which  arise  from  identification  protocols  described  in  Chapter  10.  Techniques  based 
on  the  intractability  of  the  discrete  logarithm  problem,  such  as  the  Digital  Signature  Algo- 
rithm (DSA)  and  ElGamal  schemes,  are  the  topic  of  §11.5.  One-time  signature  schemes, 
many  of  which  arise  from  symmetric-key  cryptography,  are  considered  in  § 1 1 .6.  § 1 1 .7  de- 
scribes arbitrated  digital  signatures  and  the  ESIGN  signature  scheme.  Variations  on  the  ba- 
sic concept  of  digital  signatures,  including  blind,  undeniable,  and  fail-stop  signatures,  are 
discussed  in  §11.8.  Further  notes,  including  subtle  points  on  schemes  documented  in  the 
chapter  and  variants  (e.g.,  designated  confirmer  signatures,  convertible  undeniable  signa- 
tures, group  signatures,  and  electronic  cash)  may  be  found  in  §11.9. 


1 1 .2  A framework  for  digital  signature  mechanisms 

§1.6  provides  a brief  introduction  to  the  basic  ideas  behind  digital  signatures,  and  §1.8.3 
shows  how  these  signatures  can  be  realized  through  reversible  public-key  encryption  tech- 
niques. This  section  describes  two  general  models  for  digital  signature  schemes.  A com- 
plete understanding  of  the  material  in  this  section  is  not  necessary  in  order  to  follow  sub- 
sequent sections;  the  reader  unfamiliar  with  some  of  the  more  concrete  methods  such  as 
RSA  (§11.3)  and  ElGamal  (§11.5)  is  well  advised  not  to  spend  an  undue  amount  of  time. 
The  idea  of  a redundancy  function  is  necessary  in  order  to  understand  the  algorithms  which 
give  digital  signatures  with  message  recovery.  The  notation  provided  in  Table  11.1  will  be 
used  throughout  the  chapter. 


1 1 .2.1  Basic  definitions 

1.  A digital  signature  is  a data  string  which  associates  a message  (in  digital  form)  with 
some  originating  entity. 

2.  A digital  signature  generation  algorithm  (or  signature  generation  algorithm ) is  a 
method  for  producing  a digital  signature. 

3.  A digital  signature  verification  algorithm  (or  verification  algorithm)  is  a method  for 
verifying  that  a digital  signature  is  authentic  (i.e.,  was  indeed  created  by  the  specified 
entity). 

4.  A digital  signature  scheme  (or  mechanism)  consists  of  a signature  generation  algo- 
rithm and  an  associated  verification  algorithm. 

5.  A digital  signature  signing  process  (or  procedure)  consists  of  a (mathematical)  digi- 
tal signature  generation  algorithm,  along  with  a method  for  formatting  data  into  mes- 
sages which  can  be  signed. 

6.  A digital  signature  verification  process  (or  procedure)  consists  of  a verification  algo- 
rithm, along  with  a method  for  recovering  data  from  the  message.1 

1 Often  little  distinction  is  made  between  the  terms  scheme  and  process,  and  they  are  used  interchangeably. 
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This  chapter  is,  for  the  most  part,  concerned  simply  with  digital  signature  schemes.  In 
order  to  use  a digital  signature  scheme  in  practice,  it  is  necessary  to  have  a digital  signature 
process.  Several  processes  related  to  various  schemes  have  emerged  as  commercially  rele- 
vant standards;  two  such  processes,  namely  ISO/IEC  9796  and  PKCS  #1,  are  described  in 
§11.3.5  and  §11.3.6,  respectively.  Notation  used  in  the  remainder  of  this  chapter  is  provided 
in  Table  11.1.  The  sets  and  functions  listed  in  Table  11.1  are  all  publicly  known. 


Notation 

Meaning 

M 

a set  of  elements  called  the  message  space. 

Ms 

a set  of  elements  called  the  signing  space. 

S 

a set  of  elements  called  the  signature  space. 

R 

a 1 — 1 mapping  from  M to  Ms  called  the  redundancy  function. 

Mr 

the  image  of  R (i.e.,  Mr  = Im(i?)). 

R-1 

the  inverse  of  R (i.e.,  R ; Mr  — > M). 

n 

a set  of  elements  called  the  indexing  set  for  signing. 

h 

a one-way  function  with  domain  M. 

Mh 

the  image  of  h (i.e.,  h : M — > Mh );  Mh  Q Ms  called  the 
hash  value  space. 

Table  11.1:  Notation  for  digital  signature  mechanisms. 


11.1  Note  (comments  on  Table  11.1) 

(i)  ( messages ) M is  the  set  of  elements  to  which  a signer  can  affix  a digital  signature. 

(ii)  ( signing  space ) Ms  is  the  set  of  elements  to  which  the  signature  transformations  (to 
be  described  in  §11.2.2  and  §11.2.3)  are  applied.  The  signature  transformations  are 
not  applied  directly  to  the  set  M . 

(iii)  ( signature  space ) S is  the  set  of  elements  associated  to  messages  in  M.  These  ele- 
ments are  used  to  bind  the  signer  to  the  message. 

(iv)  ( indexing  set ) 77  is  used  to  identify  specific  signing  transformations. 

A classification  of  digital  signature  schemes 

§ 1 1 .2.2  and  §11.2.3  describe  two  general  classes  of  digital  signature  schemes,  which  can  be 
briefly  summarized  as  follows; 

1 . Digital  signature  schemes  with  appendix  require  the  original  message  as  input  to  the 
verification  algorithm.  (See  Definition  11.3.) 

2.  Digital  signature  schemes  with  message  recovery  do  not  require  the  original  message 
as  input  to  the  verification  algorithm.  In  this  case,  the  original  message  is  recovered 
from  the  signature  itself.  (See  Definition  11.7.) 

These  classes  can  be  further  subdivided  according  to  whether  or  not  77  = 1,  as  noted  in 
Definition  11.2. 

1 1 .2  Definition  A digital  signature  scheme  (with  either  message  recovery  or  appendix)  is  said 
to  be  a randomized  digital  signature  scheme  if  j77|  > 1;  otherwise,  the  digital  signature 
scheme  is  said  to  be  deterministic. 

Figure  11.1  illustrates  this  classification.  Deterministic  digital  signature  mechanisms  can 
be  further  subdivided  into  one-time  signature  schemes  (§11.6)  and  multiple-use  schemes. 
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Figure  1 1. 1:  A taxonomy  of  digital  signature  schemes. 


11.2.2  Digital  signature  schemes  with  appendix 

Digital  signature  schemes  with  appendix,  as  discussed  in  this  section,  are  the  most  com- 
monly used  in  practice.  They  rely  on  cryptographic  hash  functions  rather  than  customized 
redundancy  functions,  and  are  less  prone  to  existential  forgery  attacks  (§11.2.4). 

1 1 .3  Definition  Digital  signature  schemes  which  require  the  message  as  input  to  the  verifica- 
tion algorithm  are  called  digital  signature  schemes  with  appendix. 

Examples  of  mechanisms  providing  digital  signatures  with  appendix  are  the  DSA 
(§11.5.1),  ElGamal  (§11.5.2),  and  Schnorr  (§11.5.3)  signature  schemes.  Notation  for  the 
following  discussion  is  given  in  Table  11.1. 


1 1 .4  Algorithm  Key  generation  for  digital  signature  schemes  with  appendix 


SUMMARY:  each  entity  creates  a private  key  for  signing  messages,  and  a corresponding 
public  key  to  be  used  by  other  entities  for  verifying  signatures. 

1.  Each  entity  A should  select  a private  key  which  defines  a set  Sa  = {SA,fc : k E 1Z} 
of  transformations.  Each  SA,k  is  a 1-1  mapping  from  Ad /j  to  S and  is  called  a signing 
transformation. 

2.  Sa  defines  a corresponding  mapping  Va  from  Ad /,  x S to  {true,  false}  such  that 


VA{m, 


true, 

false. 


if  SA,k{m)  = s*, 
otherwise, 


for  all  to  € M-h,  s*  E S\  here,  to  = h(m)  for  to  E Ad.  Va  is  called  a verification 
transformation  and  is  constructed  such  that  it  may  be  computed  without  knowledge 
of  the  signer’s  private  key. 

3.  A’s  public  key  is  Va\  A’s  private  key  is  the  set  iSa- 
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1 1 .5  Algorithm  Signature  generation  and  verification  (digital  signature  schemes  with  appendix) 

SUMMARY:  entity  A produces  a signature  s £ S for  a message  m £ A4.  which  can  later 
be  verified  by  any  entity  B. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Select  an  element  k £71. 

(b)  Compute  to  = h(m)  and  s*  = SA,k{fh)- 

(c)  A’s  signature  for  to  is  s*.  Both  to  and  s*  are  made  available  to  entities  which 
may  wish  to  verify  the  signature. 

2.  Verification.  Entity  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  Va- 

(b)  Compute  to  = h(m)  and  u = Va(to,  s*). 

(c)  Accept  the  signature  if  and  only  if  u = true. 


Figure  1 1 .2  provides  a schematic  overview  of  a digital  signature  scheme  with  appendix. 
The  following  properties  are  required  of  the  signing  and  verification  transformations: 

(i)  for  each  k £ 1Z,  SA,k  should  be  efficient  to  compute; 

(ii)  Va  should  be  efficient  to  compute;  and 

(iii)  it  should  be  computationally  infeasible  for  an  entity  other  than  A to  find  an  m £ M 
and  an  s*  £ S such  that  Va(to,  s*)  = true,  where  to  = h(m). 


(a)  The  signing  process 


(b)  The  verification  process 

Figure  1 1.2:  Overview  of  a digital  signature  scheme  with  appendix. 


11.6  Note  ( use  of  hash  functions)  Most  digital  signature  schemes  with  message  recovery 
(§11.2.3)  are  applied  to  messages  of  a fixed  length,  while  digital  signatures  with  appendix 
are  applied  to  messages  of  arbitrary  length.  The  one-way  function  h in  Algorithm  11.5  is 
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typically  selected  to  be  a collision-free  hash  function  (see  Definition  9.3).  An  alternative 
to  hashing  is  to  break  the  message  into  blocks  of  a fixed  length  which  can  be  individually 
signed  using  a signature  scheme  with  message  recovery.  Since  signature  generation  is  rel- 
atively slow  for  many  schemes,  and  since  reordering  of  multiple  signed  blocks  presents  a 
security  risk,  the  preferred  method  is  to  hash. 


11.2.3  Digital  signature  schemes  with  message  recovery 

The  digital  signature  schemes  described  in  this  section  have  the  feature  that  the  message 
signed  can  be  recovered  from  the  signature  itself.  In  practice,  this  feature  is  of  use  for  short 
messages  (see  §11.3.3(viii)). 

1 1 .7  Definition  A digital  signature  scheme  with  message  recovery  is  a digital  signature  scheme 
for  which  a priori  knowledge  of  the  message  is  not  required  for  the  verification  algorithm. 

Examples  of  mechanisms  providing  digital  signatures  with  message  recovery  are  RSA 
(§11.3.1),  Rabin  (§11.3.4),  and  Nyberg-Rueppel  (§11.5.4)  public-key  signature  schemes. 


11.8  Algorithm  Key  generation  for  digital  signature  schemes  with  message  recovery 

SUMMARY:  each  entity  creates  a private  key  to  be  used  for  signing  messages,  and  a cor- 
responding public  key  to  be  used  by  other  entities  for  verifying  signatures. 

1.  Each  entity  A should  select  a set  Sa  = {Sa,Ic:  k £ 1Z}  of  transformations.  Each 
Sam  is  a 1-1  mapping  from  Ms  to  S and  is  called  a signing  transformation. 

2.  Sa  defines  a corresponding  mapping  Va  with  the  property  that  Va  ° Sa,u  is  the  iden- 
tity map  on  Ms  for  all  k £ 1Z.  Va  is  called  a verification  transformation  and  is 
constructed  such  that  it  may  be  computed  without  knowledge  of  the  signer’s  private 
key. 

3.  A’s  public  key  is  Va',  A’s  private  key  is  the  set  <S^. 


1 1 .9  Algorithm  Signature  generation  and  verification  for  schemes  with  message  recovery 

SUMMARY:  entity  A produces  a signature  s £ S for  a message  m £ M,  which  can  later 
be  verified  by  any  entity  B.  The  message  to  is  recovered  from  s. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Select  an  element  k £ 1Z. 

(b)  Compute  fh  = R(m)  and  s*  = Sa  k(fh).  (R  is  a redundancy  function;  see 
Table  11.1  and  Note  11.10.) 

(c)  A's  signature  is  s*\  this  is  made  available  to  entities  which  may  wish  to  verify 
the  signature  and  recover  to  from  it. 

2.  Verification.  Entity  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  Va. 

(b)  Compute  fh  = Va(s*). 

(c)  Verify  that  to  £ Mr.  (If  to  0 Mr,  then  reject  the  signature.) 

( d ) Recover  to  from  to  by  computing  1 (to)  . 
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Figure  11.3  provides  a schematic  overview  of  a digital  signature  scheme  with  message 
recovery.  The  following  properties  are  required  of  the  signing  and  verification  transforma- 
tions: 

(i)  for  each  k £ 71,  Sa,u  should  be  efficient  to  compute; 

(ii)  Va  should  be  efficient  to  compute;  and 

(iii)  it  should  be  computationally  infeasible  for  an  entity  other  than  A to  find  any  s*  G S 
such  that  Va(s*)  G Mr. 

11.10  Note  (redundancy  function)  The  redundancy  function  R and  its  inverse  R 1 are  publicly 
known.  Selecting  an  appropriate  R is  critical  to  the  security  of  the  system.  To  illustrate 
this  point,  suppose  that  Mr  — Ms-  Suppose  R and  Sy\j,  are  bijections  from  M to  Mr 
and  Ms  to  S , respectively.  This  implies  that  M and  S have  the  same  number  of  elements. 
Then  tor  any  s*  £ S,  Va(s*)  £ Mr,  and  it  is  trivial  to  find  messages  rri  and  corresponding 
signatures  s*  which  will  be  accepted  by  the  verification  algorithm  (step  2 of  Algorithm  11.9) 
as  follows. 

1 . Select  random  k £ 1Z  and  random  s*  £ S. 

2.  Compute  fh  = Va{s*). 

3.  Compute  m = R^1(fh). 

The  element  s*  is  a valid  signature  for  the  message  m and  was  created  without  knowledge 
of  the  set  of  signing  transformations  Sa  ■ 

11.11  Example  (redundancy  function)  Suppose  M = {to:  m £ {0, 1}"}  for  some  fixed  posi- 

tive integer  n and  Ms  = {f : f £ {0,  l}2”}.  Define  R:  M — > Ms  by  R{m)  = m\\m, 
where  |j  denotes  concatenation;  that  is,  Mr  = { m\\m : m £ M}  C Ms-  For  large  val- 
ues of  n , the  quantity  iAdnl/jAfsl  = is  a negligibly  small  fraction.  This  redundancy 
function  is  suitable  provided  that  no  judicious  choice  of  s*  on  the  part  of  an  adversary  will 
have  a non-negligible  probability  of  yielding  Va  (s*)  £ Mr.  □ 

11.12  Remark  (selecting  a redundancy  function)  Even  though  the  redundancy  function  R is  pub- 
lic knowledge  and  R 1 is  easy  to  compute,  selection  of  R is  critical  and  should  not  be  made 
independently  of  the  choice  of  the  signing  transformations  in  Sa  ■ Example  1 1 .2 1 provides 
a specific  example  of  a redundancy  function  which  compromises  the  security  of  the  signa- 
ture scheme.  An  example  of  a redundancy  function  which  has  been  accepted  as  an  inter- 
national standard  is  given  in  §11.3.5.  This  redundancy  function  is  not  appropriate  for  all 
digital  signature  schemes  with  message  recovery,  but  does  apply  to  the  RSA  (§11.3.1)  and 
Rabin  (§11.3.4)  digital  signature  schemes. 
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11.13  Remark  ( a particular  class  of  message  recovery  schemes ) § 1 .8.3  describes  a class  of  dig- 
ital signature  schemes  with  message  recovery  which  arise  from  reversible  public-key  en- 
cryption methods.  Examples  include  the  RSA  (§8.2)  and  Rabin  (§8.3)  encryption  schemes. 
The  corresponding  signature  mechanisms  are  discussed  in  § 1 1 .3.1  and  § 1 1 .3.4,  respectively. 

11.14  Note  ( signatures  with  appendix  from  schemes  providing  message  recovery ) Any  digital 
signature  scheme  with  message  recovery  can  be  turned  into  a digital  signature  scheme  with 
appendix  by  simply  hashing  the  message  and  then  signing  the  hash  value.  The  message  is 
now  required  as  input  to  the  verification  algorithm.  A schematic  for  this  situation  can  be 
derived  from  Figure  11.3  and  is  illustrated  in  Figure  1 1 .4.  The  redundancy  function  R is  no 
longer  critical  to  the  security  of  the  signature  scheme,  and  can  be  any  1 — 1 function  from 
Mh  to  Ms- 


Figure  1 1.4:  Signature  scheme  with  appendix  obtained  from  one  providing  message  recovery. 


1 1 .2.4  Types  of  attacks  on  signature  schemes 

The  goal  of  an  adversary  is  to  forge  signatures;  that  is,  produce  signatures  which  will  be 
accepted  as  those  of  some  other  entity.  The  following  provides  a set  of  criteria  for  what  it 
means  to  break  a signature  scheme. 

1 . total  break.  An  adversary  is  either  able  to  compute  the  private  key  information  of 
the  signer,  or  finds  an  efficient  signing  algorithm  functionally  equivalent  to  the  valid 
signing  algorithm.  (For  example,  see  §11.3.2(i).) 

2.  selective  forgery.  An  adversary  is  able  to  create  a valid  signature  for  a particular  mes- 
sage or  class  of  messages  chosen  a priori.  Creating  the  signature  does  not  directly 
involve  the  legitimate  signer.  (See  Example  11.21.) 

3.  existential  forgery . An  adversary  is  able  to  forge  a signature  for  at  least  one  mes- 
sage. The  adversary  has  little  or  no  control  over  the  message  whose  signature  is  ob- 
tained, and  the  legitimate  signer  may  be  involved  in  the  deception  (for  example,  see 
Note  11.66(iii)). 

There  are  two  basic  attacks  against  public-key  digital  signature  schemes. 

1.  key-only  attacks.  In  these  attacks,  an  adversary  knows  only  the  signer’s  public  key. 

2.  message  attacks.  Here  an  adversary  is  able  to  examine  signatures  corresponding  ei- 
ther to  known  or  chosen  messages.  Message  attacks  can  be  further  subdivided  into 
three  classes: 

(a)  known-message  attack.  An  adversary  has  signatures  for  a set  of  messages  which 
are  known  to  the  adversary  but  not  chosen  by  him. 
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(b)  chosen-message  attack.  An  adversary  obtains  valid  signatures  from  a chosen 
list  of  messages  before  attempting  to  break  the  signature  scheme.  This  attack 
is  non-adaptive  in  the  sense  that  messages  are  chosen  before  any  signatures 
are  seen.  Chosen-message  attacks  against  signature  schemes  are  analogous  to 
chosen-ciphertext  attacks  against  public-key  encryption  schemes  (see  §1.13.1). 

(c)  adaptive  chosen-message  attack.  An  adversary  is  allowed  to  use  the  signer  as  an 
oracle;  the  adversary  may  request  signatures  of  messages  which  depend  on  the 
signer’s  public  key  and  he  may  request  signatures  of  messages  which  depend 
on  previously  obtained  signatures  or  messages. 

11.15  Note  ( adaptive  chosen-message  attack ) In  principle,  an  adaptive  chosen-message  attack  is 
the  most  difficult  type  of  attack  to  prevent.  It  is  conceivable  that  given  enough  messages  and 
corresponding  signatures,  an  adversary  could  deduce  a pattern  and  then  forge  a signature  of 
its  choice.  While  an  adaptive  chosen-message  attack  may  be  infeasible  to  mount  in  prac- 
tice, a well-designed  signature  scheme  should  nonetheless  be  designed  to  protect  against 
the  possibility. 

11.16  Note  ( security  considerations)  The  level  of  security  required  in  a digital  signature  scheme 
may  vary  according  to  the  application.  For  example,  in  situations  where  an  adversary  is  only 
capable  of  mounting  a key-only  attack,  it  may  suffice  to  design  the  scheme  to  prevent  the 
adversary  from  being  successful  at  selective  forgery.  In  situations  where  the  adversary  is 
capable  of  a message  attack,  it  is  likely  necessary  to  guard  against  the  possibility  of  exis- 
tential forgery. 

11.17  Note  (hash  functions  and  digital  signature  processes)  When  a hash  function  h is  used  in 
a digital  signature  scheme  (as  is  often  the  case),  h should  be  a fixed  part  of  the  signature 
process  so  that  an  adversary  is  unable  to  take  a valid  signature,  replace  h with  a weak  hash 
function,  and  then  mount  a selective  forgery  attack. 


1 1 .3  RSA  and  related  signature  schemes 

This  section  describes  the  RSA  signature  scheme  and  other  closely  related  methods.  The 
security  of  the  schemes  presented  here  relies  to  a large  degree  on  the  intractability  of  the 
integer  factorization  problem  (see  §3.2).  The  schemes  presented  include  both  digital  signa- 
tures with  message  recovery  and  appendix  (see  Note  11.14). 


11.3.1  The  RSA  signature  scheme 

The  message  space  and  ciphertext  space  for  the  RSA  public-key  encryption  scheme  (§8.2) 
are  both  Z„  = {0, 1,  2, . . . , n — 1}  where  n = pq  is  the  product  of  two  randomly  chosen 
distinct  prime  numbers.  Since  the  encryption  transformation  is  a bijection,  digital  signa- 
tures can  be  created  by  reversing  the  roles  of  encryption  and  decryption.  The  RSA  signature 
scheme  is  a deterministic  digital  signature  scheme  which  provides  message  recovery  (see 
Definition  11.7).  The  signing  space  and  signature  space  S are  both  Z„  (see  Table  11.1 
for  notation).  A redundancy  function  R : A4  — > Z„  is  chosen  and  is  public  knowledge. 
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11.18  Algorithm  Key  generation  for  the  RSA  signature  scheme 

SUMMARY:  each  entity  creates  an  RSA  public  key  and  a corresponding  private  key. 

Each  entity  A should  do  the  following: 

1.  Generate  two  large  distinct  random  primes  p and  q,  each  roughly  the  same  size  (see 
§11.3.2). 

2.  Compute  n = pq  and  <fi  = (p  — l)(q  — 1). 

3.  Select  a random  integer  e,  1 < e < <f>,  such  that  gcd(e,  <fi)  = 1. 

4.  Use  the  extended  Euclidean  algorithm  (Algorithm  2.107)  to  compute  the  unique  in- 
teger d,  1 < d < <fi,  such  that  ed  = 1 (mod  <f>). 

5.  A’s  public  key  is  ( n , e);  A’s  private  key  is  d. 


11.19  Algorithm  RSA  signature  generation  and  verification 

SUMMARY:  entity  A signs  a message  m E M.  Any  entity  B can  verify  A’s  signature  and 
recover  the  message  m from  the  signature. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Compute  fh  = R(m),  an  integer  in  the  range  [0,  n — 1]. 

(b)  Compute  s = fhd  mod  n. 

(c)  A’s  signature  for  m is  s. 

2.  Verification.  To  verify  A’s  signature  s and  recover  the  message  m,  B should: 

(a)  Obtain  A’s  authentic  public  key  (n.  e). 

(b)  Compute  fh  = se  mod  n. 

(c)  Verify  that  fh  E JAr,  if  not,  reject  the  signature. 

(d)  Recover  m = R~1(fh). 


Proof  that  signature  verification  works.  If  s is  a signature  for  a message  m,  then  s = 
fhd  mod  n where  fh  = R(m).  Since  ed  e 1 (mod  fi),  se  = fhed  = fh  (mod  n).  Fi- 
nally, R~1(fh)  = R~1(R(m))  = m. 

11.20  Example  (RSA  signature  generation  with  artificially  small  parameters) 

Key  generation.  Entity  A selects  primes  p = 7927,  q = 6997,  and  computes  n = pq  = 
55465219  and  <p  = 7926  x 6996  = 55450296.  A chooses  e = 5 and  solves  ed  = 5d  = 1 
(mod  55450296),  yielding  d = 44360237.  A’s  public  key  is  ( n = 55465219,  e = 5); 
A’s  private  key  is  d = 44360237. 

Signature  generation.  For  the  sake  of  simplicity  (but  see  § 1 1 .3.3(h)),  assume  that  A4  = Zn 
and  that  the  redundancy  function  R : A4  — > Z„  is  the  identity  map  R(m)  = m for  all  m G 
A4.  To  sign  a message  m = 31229978,  A computes  fh  = R{m)  = 31229978,  and  com- 
putes the  signature  s = fhd  mod  n = 3 1 22  9 9 7844360237  mod  55465219  = 30729435. 
Signature  verification.  B computes  fh  = se  mod  n = 30729435s  mod  55465219  = 
31229978.  Finally,  B accepts  the  signature  since  fh  has  the  required  redundancy  (i.e.,  fh  Q 
M.r ),  and  recovers  m = i?_1(m)  = 31229978.  □ 


11.3.2  Possible  attacks  on  RSA  signatures 

(i)  Integer  factorization 

If  an  adversary  is  able  to  factor  the  public  modulus  n of  some  entity  A , then  the  adversary 
can  compute  <fi  and  then,  using  the  extended  Euclidean  algorithm  (Algorithm  2. 107),  deduce 
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the  private  key  d from  rj>  and  the  public  exponent  e by  solving  ed  = 1 (mod  f).  This 
constitutes  a total  break  of  the  system.  To  guard  against  this,  A must  select  p and  q so  that 
factoring  n is  a computationally  infeasible  task.  For  further  information,  see  §8.2.2(i)  and 
Note  8.8. 

(ii)  Multiplicative  property  of  RSA 

The  RSA  signature  scheme  (as  well  as  the  encryption  method,  cf.  §8.2.2(v))  has  the  follow- 
ing multiplicative  property,  sometimes  referred  to  as  the  homomorphic  property.  If  si  = 
md  mod  n and  S2  — ra^  mod  n are  signatures  on  messages  m-i  and  m2,  respectively  (or 
more  properly  on  messages  with  redundancy  added),  then  s = s\s->  mod  n has  the  prop- 
erty that  s = (mim.2)d  mod  n.  If  m = mirri2  has  the  proper  redundancy  (i.e.,  m £ Mr), 
then  s will  be  a valid  signature  for  it.  Hence,  it  is  important  that  the  redundancy  function 
R is  not  multiplicative,  i.e.,  for  essentially  all  pairs  a,  b € M,  R(a  ■ b)  R(a)R(b).  As 
Example  1 1 .2 1 shows,  this  condition  on  R is  necessary  but  not  sufficient  for  security. 

1 1 .21  Example  ( insecure  redundancy  function)  Let  n be  an  RSA  modulus  and  d the  private  key. 
Let  k = [lg  n]  be  the  bitlength  of  n,  and  let  t be  a fixed  positive  integer  such  that  t < k/2. 
Let  w = 2*  and  let  messages  be  integers  m in  the  interval  [1,  n2^t  — 1].  The  redundancy 
function  R is  taken  to  be  R(m)  = m2 1 (the  least  significant  t bits  of  the  binary  representa- 
tion of  R(m)  are  0’s).  For  most  choices  of  n,  R will  not  have  the  multiplicative  property. 
The  general  existential  forgery  attack  described  in  Note  11.10  would  have  a probability  of 
success  of  (5)*.  But  for  this  redundancy  function,  a selective  forgery  attack  (which  is  more 
serious)  is  possible,  as  is  now  explained. 

Suppose  that  an  adversary  wishes  to  forge  a signature  on  a message  m.  The  adversary 
knows  n but  not  d.  The  adversary  can  mount  the  following  chosen-message  attack  to  obtain 
the  signature  on  m.  Apply  the  extended  Euclidean  algorithm  (Algorithm  2.107)  to  n and 
m = R(m)  = m2 * = mw.  At  each  stage  of  the  extended  Euclidean  algorithm,  integers 
x,  y,  and  r are  computed  such  that  xn  + yrh  = r.  It  can  be  shown  that  at  some  stage  there 
exists  a y and  r such  that  \y\  < n/w  and  r < n/w,  provided  w < fi.  If  y > 0,  form 
integers  m2  = rw  and  m3  = yw.  If  y < 0,  form  integers  m2  = rw  and  m3  = — yw.  In 
either  case,  m2  and  m3  have  the  required  redundancy.  If  signatures  s->  = md  mod  n and 
S3  = m.3  mod  n are  obtained  from  the  legitimate  signer,  then  the  adversary  can  compute  a 
signature  for  m as  follows: 

• if  y > 0,  compute  ^ = ypri  = (^;)d  = {y)d  = fnd  m°d  n\ 

• if  y < 0,  compute  )d  = )d  = fhd  mod  n. 

In  either  case,  the  adversary  has  a signed  message  of  its  choice  with  the  required  redun- 
dancy. This  attack  is  an  example  of  a chosen-message  attack  providing  selective  forgery.  It 
emphasizes  the  requirement  for  judicious  choice  of  the  redundancy  function  R.  □ 


11.3.3  RSA  signatures  in  practice 

(i)  Reblocking  problem 

One  suggested  use  of  RSA  is  to  sign  a message  and  then  encrypt  the  resulting  signature.  One 
must  be  concerned  about  the  relative  sizes  of  the  moduli  involved  when  implementing  this 
procedure.  Suppose  that  A wishes  to  sign  and  then  encrypt  a message  for  B.  Suppose  that 
(tia, &a)  and  (ns,  cb)  are  A’s  and  B' s public  keys,  respectively.  If  tia  > tir,  then  there 
is  a chance  that  the  message  cannot  be  recovered  by  B,  as  illustrated  in  Example  1 1 .22. 
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11.22  Example  (reblocking  problem)  Let  nA  = 8387  x 7499  = 62894113,  eA  = 5,  and  dA  = 
37726937;  and  nfi  = 55465219.es  = 5 ,dB  = 44360237.  Notice  that  tia  > ns-  Suppose 
m = 1368797  is  a message  with  redundancy  to  be  signed  under  A’s  private  key  and  then 
encrypted  using  B's  public  key.  A computes  the  following: 

1.  s = mdA  mod  nA  = 136879737726937  mod  62894113  = 59847900. 

2.  c = seB  mod  nB  = 59847900s  mod  55465219  = 38842235. 

To  recover  the  message  and  verify  the  signature,  B computes  the  following: 

1 . s = cdB  mod  nB  = 38  8 4 2 2 3 544360237  mod  55465219  = 4382681. 

2.  m = seA  mod  nA  = 43826815  mod  62894113  = 54383568. 

Observe  that  m f fh.  The  reason  for  this  is  that  s is  larger  than  the  modulus  nB.  Here,  the 
probability  of  this  problem  occurring  is  (nA  — nB)/nA  ~ 0.12.  □ 

There  are  various  ways  to  overcome  the  reblocking  problem. 

1 . reordering.  The  problem  of  incorrect  decryption  will  never  occur  if  the  operation  us- 
ing the  smaller  modulus  is  performed  first.  That  is,  if  nA  > nB,  then  entity  A should 
first  encrypt  the  message  using  B's  public  key,  and  then  sign  the  resulting  cipher- 
text  using  A's  private  key.  The  preferred  order  of  operations,  however,  is  always  to 
sign  the  message  first  and  then  encrypt  the  signature;  for  if  A encrypts  first  and  then 
signs,  an  adversary  could  remove  the  signature  and  replace  it  with  its  own  signature. 
Even  though  the  adversary  will  not  know  what  is  being  signed,  there  may  be  situa- 
tions where  this  is  advantageous  to  the  adversary.  Thus,  reordering  is  not  a prudent 
solution. 

2.  two  moduli  per  entity.  Have  each  entity  generate  separate  moduli  for  encrypting  and 
for  signing.  If  each  user’s  signing  modulus  is  smaller  than  all  of  the  possible  encrypt- 
ing moduli,  then  incorrect  decryption  never  occurs.  This  can  be  guaranteed  by  requir- 
ing encrypting  moduli  to  be  (t  + l)-bit  numbers  and  signing  moduli  4-bit  numbers. 

3.  prescribing  the  form  of  the  modulus.  In  this  method,  one  selects  the  primes  p and  q so 

that  the  modulus  n has  a special  form:  the  highest-order  bit  is  a 1 and  the  k following 
bits  are  all  0’s.  A 4-bit  modulus  n of  this  form  can  be  found  as  follows.  For  n to  have 
the  required  form,  2t^1  < n < 2t^1  + Select  a random  [4/2]  -bit  prime  p, 

and  search  for  a prime  q in  the  interval  between  [2 t_1/p]  and  [(2t_1  + 2t~k~1)/p\ ; 
then  n = pq  is  a modulus  of  the  required  type  (see  Example  11.23).  This  choice  for 
the  modulus  n does  not  completely  prevent  the  incorrect  decryption  problem,  but  it 
can  reduce  the  probability  of  its  occurrence  to  a negligibly  small  number.  Suppose 
that  nA  is  such  a modulus  and  s = mdA  mod  nA  is  a signature  on  m.  Suppose  fur- 
ther that  s has  a 1 in  one  of  the  high-order  k+  1 bit  positions,  other  than  the  highest. 
Then  .s,  since  it  is  smaller  than  nA,  must  have  a 0 in  the  highest-order  bit  position 
and  so  is  necessarily  smaller  than  any  other  modulus  of  a similar  form.  The  proba- 
bility that  s does  not  have  any  l’s  in  the  high-order  k + 1 bit  positions,  other  than  the 
highest,  is  less  than  (|)fc,  which  is  negligibly  small  if  k is  selected  to  be  around  100. 

1 1 .23  Example  ( prescribing  the  form  of  the  modulus)  Suppose  one  wants  to  construct  a 12-bit 

modulus  n such  that  the  high  order  bit  is  a 1 and  the  next  k — 3 bits  are  0’s.  Begin  by 
selecting  a 6-bit  prime  p — 37.  Select  a prime  q in  the  interval  between  [2 11 /p]  = 56  and 
[(211  + 28)/pJ  = 62.  The  possibilities  for  q are  59  and  61.  If  q = 59  is  selected,  then 
n = 37  x 59  = 2183,  having  binary  representation  100010000111.  If  q = 61  is  selected, 
then  n = 37  x 61  = 2257,  having  binary  representation  100011010001.  □ 
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(ii)  Redundancy  functions 

In  order  to  avoid  an  existential  forgery  attack  (see  §11.2.4)  on  the  RSA  signature  scheme, 
a suitable  redundancy  function  R is  required.  §11.3.5  describes  one  such  function  which 
has  been  accepted  as  an  international  standard.  Judicious  choice  of  a redundancy  function 
is  crucial  to  the  security  of  the  system  (see  §11. 3.2(h)). 

(iii)  The  RSA  digital  signature  scheme  with  appendix 

Note  11.14  describes  how  any  digital  signature  scheme  with  message  recovery  can  be 
modified  to  give  a digital  signature  scheme  with  appendix.  For  example,  if  MD5  (Algo- 
rithm 9.5 1)  is  used  to  hash  messages  of  arbitrary  bitlengths  to  bitstrings  of  length  128,  then 
Algorithm  1 1 .9  could  be  used  to  sign  these  hash  values.  If  n is  a fc-bit  RSA  modulus,  then 
a suitable  redundancy  function  R is  required  to  assign  128-bit  integers  to  fc-bit  integers. 
§11.3.6  describes  a method  for  doing  this  which  is  often  used  in  practice. 

(iv)  Performance  characteristics  of  signature  generation  and  verification 

Let  n = pq  be  a 2fc-bit  RSA  modulus  where  p and  q are  each  fc-bit  primes.  Computing  a sig- 
nature s = md  mod  n for  a message  m requires  0(fc3)  bit  operations  (regarding  modular 
multiplication,  see  §14.3;  and  for  modular  exponentiation,  §14.6).  Since  the  signer  typi- 
cally knows  p and  q,  she  can  compute  si  = md  mod  p,  <§2  = md  mod  q,  and  determine  s 
by  using  the  Chinese  remainder  theorem  (see  Note  14.75).  Although  the  complexity  of  this 
procedure  remains  0(fc3),  it  is  considerably  more  efficient  in  some  situations. 

Verification  of  signatures  is  significantly  faster  than  signing  if  the  public  exponent  is 
chosen  to  be  a small  number.  If  this  is  done,  verification  requires  0(fc2)  bit  operations. 
Suggested  values  for  e in  practice  are  3 or  216  + l;2  of  course,  p and  q must  be  chosen  so 
that  gcd(e,  (p  - 1 )(q  - 1))  = 1. 

The  RSA  signature  scheme  is  thus  ideally  suited  to  situations  where  signature  verifica- 
tion is  the  predominant  operation  being  performed.  For  example,  when  a trusted  third  party 
creates  a public-key  certificate  for  an  entity  A,  this  requires  only  one  signature  generation, 
and  this  signature  may  be  verified  many  times  by  various  other  entities  (see  §13.4.2). 

(v)  Parameter  selection 

As  of  1996,  a minimum  of  768  bits  is  recommended  for  RSA  signature  moduli.  A modulus 
of  at  least  1024  bits  is  recommended  for  signatures  which  require  much  longer  lifetimes  or 
which  are  critical  to  the  overall  security  of  a large  network.  It  is  prudent  to  remain  aware 
of  progress  in  integer  factorization,  and  to  be  prepared  to  adjust  parameters  accordingly. 

No  weaknesses  in  the  RSA  signature  scheme  have  been  repotted  when  the  public  expo- 
nent e is  chosen  to  be  a small  number  such  as  3 or  216  + 1 . It  is  not  recommended  to  restrict 
the  size  of  the  private  exponent  d in  order  to  improve  the  efficiency  of  signature  generation 
(cf.  §8.2.2(iv)). 

(vi)  Bandwidth  efficiency 

Bandwidth  efficiency  for  digital  signatures  with  message  recovery  refers  to  the  ratio  of  the 
logarithm  (base  2)  of  the  size  of  the  signing  space  Ads  to  the  logarithm  (base  2)  of  the  size  of 
Mr,  the  image  space  of  the  redundancy  function.  Hence,  the  bandwidth  efficiency  is  deter- 
mined by  the  redundancy  R.  For  RSA  (and  the  Rabin  digital  signature  scheme,  § 1 1 .3.4),  the 
redundancy  function  specified  by  ISO/IEC  9796  (§11 .3.5)  takes  fc-bit  messages  and  encodes 
them  to  2fc-bit  elements  in  Ms  from  which  a 2fc-bit  signature  is  formed.  The  bandwidth 

2The  choice  of  e = 216  + 1 is  based  on  the  fact  that  e is  a prime  number,  and  me  mod  n can  be  computed 
with  only  16  modular  squarings  and  one  modular  multiplication  (see  §14.6.1). 
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efficiency  in  this  case  is  -y.  For  example,  with  a modulus  of  size  1024  bits,  the  maximum 
size  of  a message  which  can  be  signed  is  512  bits. 

(vii)  System-wide  parameters 

Each  entity  must  have  a distinct  RSA  modulus;  it  is  insecure  to  use  a system-wide  modulus 
(see  §8.2.2(vi)).  The  public  exponent  e can  be  a system-wide  parameter,  and  is  in  many 
applications  (see  Note  8.9(ii)). 

(viii)  Short  vs.  long  messages 

Suppose  n is  a 2/c-bit  RSA  modulus  which  is  used  in  Algorithm  11.19  to  sign  k- bit  mes- 
sages (i.e.,  the  bandwidth  efficiency  is  ^ ).  Suppose  entity  A wishes  to  sign  a fcf-bit  message 
m.  One  approach  is  to  partition  m into  fc-bit  blocks  such  that  m = mi  \ \m^  1 1 ■ • ■ 1 1 m*  and 
sign  each  block  individually  (but  see  Note  11.6  regarding  why  this  is  not  recommended). 
The  bandwidth  requirement  for  this  is  2 kt  bits.  Alternatively,  A could  hash  message  m to  a 
bitstring  of  length  l < k and  sign  the  hash  value.  The  bandwidth  requirement  for  this  signa- 
ture is  kt  + 2k,  where  the  term  kt  comes  from  sending  the  message  m.  Since  kt  + 2k  < 2 kt 
whenever  t > 2.  it  follows  that  the  most  bandwidth  efficient  method  is  to  use  RSA  digital 
signatures  with  appendix.  For  a message  of  size  at  most  fc-bits,  RSA  with  message  recovery 
is  preferred. 


11.3.4  The  Rabin  public-key  signature  scheme 

The  Rabin  public-key  signature  scheme  is  similar  to  RSA  (Algorithm  11.19),  but  it  uses  an 
even  public  exponent  e.  3 For  the  sake  of  simplicity,  it  will  be  assumed  that  e = 2.  The 
signing  space  Ais  is  Qn  (the  set  of  quadratic  residues  modulo  n — see  Definition  2.134) 
and  signatures  are  square  roots  of  these.  A redundancy  function  R from  the  message  space 
At  to  A4s  is  selected  and  is  public  knowledge. 

Algorithm  1 1 .25  describes  the  basic  version  of  the  Rabin  public-key  signature  scheme. 
A more  detailed  version  ( and  one  more  useful  in  practice)  is  presented  in  Algorithm  1 1 .30. 


1 1 .24  Algorithm  Key  generation  for  the  Rabin  public-key  signature  scheme 

SUMMARY:  each  entity  creates  a public  key  and  corresponding  private  key. 

Each  entity  A should  do  the  following: 

1.  Generate  two  large  distinct  random  primes  p and  q,  each  roughly  the  same  size. 

2.  Compute  n = pq. 

3.  A’s  public  key  is  n;  A’s  private  key  is  (p,  q). 


11.25  Algorithm  Rabin  signature  generation  and  verification 

SUMMARY:  entity  A signs  a message  m G At.  Any  entity  B can  verify  A’s  signature  and 
recover  the  message  m from  the  signature. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Compute  fh  = R(m). 

(b)  Compute  a square  root  s of  fh  mod  n (using  Algorithm  3.44). 

(c)  A’s  signature  for  m is  s. 

3Since  p and  q are  distinct  primes  in  an  RSA  modulus.  0 — (p  l)(q  — 1)  is  even.  In  RSA.  the  public 
exponent  e must  satisfy  gcd(e,  0)  = 1 and  so  must  be  odd. 
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2.  Verification.  To  verify  ,4's  signature  s and  recover  the  message  to,  B should: 

(a)  Obtain  A’s  authentic  public  key  n. 

(b)  Compute  fh  = s2  mod  n. 

(c)  Verify  that  to  £ Mr',  if  not,  reject  the  signature. 

(d)  Recover  to  = R^1  (to). 


11.26  Example  ( Rabin  signature  generation  with  artificially  small  parameters) 

Key  generation.  Entity  A selects  primes  p = 7,  q = 11,  and  computes  n = 77.  A’s 
public  key  is  n = 77;  A’s  private  key  is  (p  = 7,  q = 11).  The  signing  space  is  Ms  = 
Qrr  = { 1,4, 9, 15, 16,  23,  25,  36,  37,  53,  58,  60,  64,  67,  71}.  For  the  sake  of  simplicity  (but 
see  Note  1 1 .27),  take  M — Ms  and  the  redundancy  function  R to  be  the  identity  map  (i.e., 
to  = R(m)  = to). 

Signature  generation.  To  sign  a message  to  = 23,  A computes  R(m)  = to  = 23,  and  then 
finds  a square  root  of  to  modulo  77.  If  s denotes  such  a square  root,  then  s = ±3  (mod  7) 
and  s = ±1  (mod  11),  implying  s = 10,  32,  45,  or  67.  The  signature  for  to  is  chosen  to 
be  s = 45.  (The  signature  could  be  any  one  of  the  four  square  roots.) 

Signature  verification.  B computes  fh  = s2  mod  77  = 23.  Since  fh  = 23  £ Mr,  B 
accepts  the  signature  and  recovers  to  = R^1(fh)  = 23.  □ 

11.27  Note  ( redundancy ) 

(i)  As  with  the  RSA  signature  scheme  (Example  11.21),  an  appropriate  choice  of  a re- 
dundancy function  R is  crucial  to  the  security  of  the  Rabin  signature  scheme.  For 
example,  suppose  that  M = Ms  = Qn  and  R{rn)  = to  for  all  to  £ M.  If  an 
adversary  selects  any  integer  s £ Z*  and  squares  it  to  get  fh  = s2  mod  n,  then  s is 
a valid  signature  for  to  and  is  obtained  without  knowledge  of  the  private  key.  (Here, 
the  adversary  has  little  control  over  what  the  message  will  be.)  In  this  situation,  ex- 
istential forgery  is  trivial. 

(ii)  In  most  practical  applications  of  digital  signature  schemes  with  message  recovery,  the 
message  space  M consists  of  bitstrings  of  some  fixed  length.  For  the  Rabin  scheme, 
determining  a redundancy  function  R is  a challenging  task.  For  example,  if  a message 
to  is  a bitstring,  R might  assign  it  to  the  integer  whose  binary  representation  is  the 
message.  There  is,  however,  no  guarantee  that  the  resulting  integer  is  a quadratic 
residue  modulo  n,  and  so  computing  a square  root  might  be  impossible.  One  might 
try  to  append  a small  number  of  random  bits  to  to  and  apply  R again  in  the  hope 
that  R(m)  £ Qn.  On  average,  two  such  attempts  would  suffice,  but  a deterministic 
method  would  be  preferable. 

Modified-Rabin  signature  scheme 

To  overcome  the  problem  discussed  in  Note  1 1 .27(ii),  a modified  version  of  the  basic  Rabin 
signature  scheme  is  provided.  The  technique  presented  is  similar  to  that  used  in  the  ISO/IEC 
9796  digital  signature  standard  (§11.3.5).  It  provides  a deterministic  method  for  associating 
messages  with  elements  in  the  signing  space  Ms,  such  that  computing  a square  root  (or 
something  close  to  it)  is  always  possible.  An  understanding  of  this  method  will  facilitate 
the  reading  of  §11.3.5. 

11.28  Fact  Fet  p and  q be  distinct  primes  each  congruent  to  3 modulo  4,  and  let  n = pq. 

(i)  If  gcd(x,  n)  = 1,  then  = 1 (mod  n). 

(ii)  If  x £ Qn,  then  x("~33~9+5)/8  mod  n is  a square  root  of  x modulo  n. 
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(iii)  Let  x be  an  integer  having  Jacobi  symbol  00  = 1,  and  let  d = (n  — p — q + 5)/8. 
Then 


x2d  mod  n = 


x , if  X G Qm 
n — x,  if  x ^ Qn. 


(iv)  If  p ^ q (mod  8),  then  ((0  = — 1.  Hence,  multiplication  of  any  integer  x by  2 or 
2_1  mod  n reverses  the  Jacobi  symbol  of  x.  (Integers  of  the  form  n = pq  where 
p = q = 3 (mod  4)  and  p ^ q (mod  8)  are  sometimes  called  Williams  integers.) 


Algorithm  11.30  is  a modified  version  of  the  Rabin  digital  signature  scheme.  Mes- 
sages to  be  signed  are  from  M.s  = {to  G Z„:  m = 6 (mod  16)}.  Notation  is  given 
in  Table  11.2.  In  practice,  the  redundancy  function  R should  be  more  complex  to  prevent 
existential  forgery  (see  §11.3.5  for  an  example). 


mill 

Term 

Description 

M 

message  space 

(to  G Z„ : to  < [(n  — 6) / 16j } 

A4S 

signing  space 

{to  GZ„:  to  = 6 (mod  16)} 

S 

signature  space 

{s  G Z„:  (s2  mod  n)  G Ms} 

R 

redundancy  function 

R(m)  = 16to  + 6 for  all  to  G M 

Mr 

image  of  R 

{to  G Zn:  to  = 6 (mod  16)} 

Table  1 1.2:  Definition  of  sets  and  functions  for  Algorithm  11.30. 


1 1 .29  Algorithm  Key  generation  for  the  modified-Rabin  signature  scheme 

SUMMARY:  each  entity  creates  a public  key  and  corresponding  private  key. 

Each  entity  A should  do  the  following: 

1.  Select  random  primes  p = 3 (mod  8),  q = 7 (mod  8)  and  compute  n = pq. 

2.  A’s  public  key  is  n;  A’s  private  key  is  d = (n  — p — q + 5)/8. 


11.30  Algorithm  Modified-Rabin  public-key  signature  generation  and  verification 

SUMMARY:  entity  A signs  a message  m G M.  Any  entity  B can  verify  A’s  signature  and 
recover  the  message  to  from  the  signature. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Compute  fh  = R(m)  = 16 m + 6. 

(b)  Compute  the  Jacobi  symbol  J = (~)  (using  Algorithm  2.149). 

(c)  If  J = 1 then  compute  s = fhd  mod  n. 

(d)  If  J = — 1 then  compute  s = ( rh/2)d  mod  n.  4 

(e)  A’s  signature  for  m is  s. 

2.  Verification.  To  verify  A’s  signature  s and  recover  the  message  to,  B should: 

(a)  Obtain  A’s  authentic  public  key  n. 

(b)  Compute  m!  = s2  mod  n.  (Note  the  original  message  to  itself  is  not  required.) 

(c)  If  to/  = 6 (mod  8),  take  to  = to'. 

(d)  If  m!  = 3 (mod  8),  take  to  = 2 to'. 

4If  J 1 or  —1  then  J = 0,  implying  gcd(m,  n)  A 1-  This  leads  to  a factorization  of  n.  In  practice,  the 
probability  that  this  will  ever  occur  is  negligible. 
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(e)  If  m!  = 7 (mod  8),  take  fh  = n — m! . 

(f)  If  m!  = 2 (mod  8),  take  fh  = 2 (n  — m '). 

(g)  Verify  that  fh  € Mr  (see  Table  11.2);  if  not,  reject  the  signature. 

(h)  Recover  m = R~l(fh)  = {fh  — 6)/16. 


Proof  that  signature  verification  works.  The  signature  generation  phase  signs  either  v = fh 
or  v = fh/2  depending  upon  which  has  Jacobi  symbol  1.  By  Fact  11.28(iv),  exactly  one  of 
fh,  fh/2  has  Jacobi  symbol  1.  The  value  v that  is  signed  is  such  that  v = 3 or  6 (mod  8). 
By  Fact  11.28(iii),  s2  mod  n = v or  n v depending  on  whether  or  not  v e Qn-  Since 
n = 5 (mod  8),  these  cases  can  be  uniquely  distinguished. 

1 1 .31  Example  ( modified-Rabin  signature  scheme  with  artificially  small  parameters) 

Key  generation.  A chooses  p = 19,  q = 31,  and  computes  n = pq  = 589  and  d = 
(n  — p — q + 5)/8  = 68.  A’s  public  key  is  n = 589,  while  A’s  private  key  is  d = 68. 
The  signing  space  M s is  given  in  the  following  table,  along  with  the  Jacobi  symbol  of  each 
element. 


m 

6 

22 

54 

70 

86 

102 

118 

134 

150 

166 

(—) 
\589 ) 

-1 

1 

-1 

-1 

1 

1 

1 

1 

-1 

1 

m 

182 

198 

214 

230 

246 

262 

278 

294 

326 

358 

(™L- ) 

-1 

1 

1 

1 

1 

-1 

1 

-1 

-1 

-1 

m 

374 

390 

406 

422 

438 

454 

470 

486 

502 

518 

V589 ) 

-1 

-1 

-1 

1 

1 

1 

-1 

-1 

1 

-1 

m 

534 

550 

566 

582 

(—) 

\589/ 

-1 

1 

-1 

1 

Signature  generation.  To  sign  a message  m = 12,  A computes  fh  = R(  12)  = 198,  (^j  = 
(HI)  = 1,  and  s = 19868  mod  589  = 102.  A’s  signature  for  m = 12  is  s = 102. 
Signature  verification.  B computes  m!  = s 2 mod  n = 1022  mod  589  = 391.  Since 
m!  = 7 (mod  8),  B takes  fh  = n — m!  = 589  — 391  = 198.  Finally,  B computes 
m = R~1(fh)  = (198  — 6)/ 16  = 12,  and  accepts  the  signature.  □ 

11.32  Note  (security  of  modified-Rabin  signature  scheme) 

(i)  When  using  Algorithm  11.30,  one  should  never  sign  a value  v having  Jacobi  symbol 
— 1,  since  this  leads  to  a factorization  of  n.  To  see  this,  observe  that  y = v2d  = s2 
must  have  Jacobi  symbol  1;  but  y2  = {v2)2d  = v 2 (mod  n)  by  Fact  11.28(iii). 
Therefore,  (v— y){v+y)  = 0 (mod  n).  Since  v and  y have  opposite  Jacobi  symbols, 
v ^ y (mod  n)  and  thus  gcd(v  — y,n)  = p or  q. 

(ii)  Existential  forgery  is  easily  accomplished  for  the  modified-Rabin  scheme  as  it  was 
for  the  original  Rabin  scheme  (see  Note  11.27(i)).  One  only  needs  to  find  an  s,  1 < 
s < n — 1,  such  that  either  s2  or  n — s2  or  2s2  or  2 (n  — s 2)  mod  n is  congruent  to 
6 modulo  16.  In  any  of  these  cases,  s is  a valid  signature  for  m!  = s2  mod  n. 

11.33  Note  ( performance  characteristics  of  the  Rabin  signature  scheme)  Algorithm  11.25  re- 
quires a redundancy  function  from  A4  to  ,\4s  = Qn  which  typically  involves  computing 
a Jacobi  symbol  (Algorithm  2.149).  Signature  generation  then  involves  computing  at  least 
one  Jacobi  symbol  (see  Note  11.27)  and  a square  root  modulo  n.  The  square  root  compu- 
tation is  comparable  to  an  exponentiation  modulo  n (see  Algorithm  3.44).  Since  comput- 
ing the  Jacobi  symbol  is  equivalent  to  a small  number  of  modular  multiplications,  Rabin 
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signature  generation  is  not  significantly  more  computationally  intensive  than  an  RSA  sig- 
nature generation  with  the  same  modulus  size.  Signature  verification  is  very  fast  if  e = 2; 
it  requires  only  one  modular  multiplication.  Squaring  can  be  performed  slightly  more  ef- 
ficiently than  a general  modular  multiplication  (see  Note  14.18).  This,  too,  compares  fa- 
vorably with  RSA  signature  verification  even  when  the  RSA  public  exponent  is  e = 3. 
The  modified  Rabin  scheme  (Algorithm  1 1 .30)  specifies  the  message  space  and  redundancy 
function.  Signature  generation  requires  the  evaluation  of  a Jacobi  symbol  and  one  modular 
exponentiation. 

1 1 .34  Note  (bandwidth  efficiency)  The  Rabin  digital  signature  scheme  is  similar  to  the  RSA  sch- 
eme with  respect  to  bandwidth  efficiency  (see  §11.3.3(vi)). 


1 1 .3.5  ISO/IEC  9796  formatting 

ISO/IEC  9796  was  published  in  1991  by  the  International  Standards  Organization  as  the  first 
international  standard  for  digital  signatures.  It  specifies  a digital  signature  process  which 
uses  a digital  signature  mechanism  providing  message  recovery. 

The  main  features  of  ISO/IEC  9796  are:  (i)  it  is  based  on  public-key  cryptography;  (ii) 
the  particular  signature  algorithm  is  not  specified  but  it  must  map  k bits  to  k bits;  (iii)  it 
is  used  to  sign  messages  of  limited  length  and  does  not  require  a cryptographic  hash  func- 
tion; (iv)  it  provides  message  recovery  (see  Note  11.14);  and  (v)  it  specifies  the  message 
padding,  where  required.  Examples  of  mechanisms  suitable  for  the  standard  are  RSA  (Al- 
gorithm 11.19)  and  modified-Rabin  (Algorithm  11.30).  The  specific  methods  used  for 
padding,  redundancy,  and  truncation  in  ISO/IEC  9796  prevent  various  means  to  forge  sig- 
natures. Table  11.3  provides  notation  for  this  subsection. 


Symbol 

Meaning 

k 

the  bitlength  of  the  signature. 

d 

the  bitlength  of  the  message  m to  be  signed; 
it  is  required  that  d < 8 [(k  + 3)/16j . 

z 

the  number  of  bytes  in  the  padded  message;  z = [d/8]. 

r 

one  more  than  the  number  of  padding  bits;  r = 8z  — d + 1. 

t 

the  least  integer  such  that  a string  of  2 1 bytes  includes  at  least 
k — 1 bits;  t = [(A;  — 1)/16]. 

Table  11.3:  ISO/IEC  9796  notation. 


1 1 .35  Example  ( sample  parameter  values  for  ISO/IEC  9796  ) The  following  table  lists  sample 
values  of  parameters  in  the  signing  process  for  a 150-bit  message  and  a 1024-bit  signature. 


Parameter 

k (bits) 

d (bits) 

z (bytes) 

r (bits) 

t (bytes) 

Value 

1024 

150 

19 

3 

64 

□ 
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(i)  Signature  process  for  ISO/IEC  9796 

The  signature  process  consists  of  5 steps  as  per  Figure  11.5(a). 

(a)  ISO/IEC  9796  signature  process  (b)  ISO/IEC  9796  verification  process 


Message 

I 


Signature 


Signature  accepted 


Reject 


Reject 


Reject 


Figure  11.5:  Signature  amt  verification  processes  for  ISO/IEC  9796. 


1.  padding.  If  m is  the  message,  form  the  padded  message  MP  = 0r_1  \\m  where  1 < 
r < 8,  such  that  the  number  of  bits  in  MP  is  a multiple  of  8.  The  number  of  bytes  in 
MP  is  z:  MP  = mz  ||mz_i  |j  ■ ■ ■ ||to2||toi  where  each  m,;  is  a byte. 

2.  message  extension.  The  extended  message,  denoted  ME,  is  obtained  from  MP  by 
repeated  concatenation  on  the  left  of  MP  with  itself  until  t bytes  are  in  the  string: 
ME  = ME t\\ME t-i\\  ■ ■ ■ \\ME2\\MEi  (each  MEt  is  a byte).  If  t is  not  a multiple 
of  z,  then  the  last  bytes  to  be  concatenated  are  a partial  set  of  bytes  from  MP,  where 
these  bytes  are  consecutive  bytes  of  MP  from  the  right.  More  precisely,  MEi+ 1 = 
m(i  modzj+i  for  0 i f.  t 1. 

3.  message  redundancy . Redundancy  is  added  to  ME  to  get  the  byte  string  MR  — 
MR2t\\MR2t_1\\  ■ ■ ■ \\MR2\\MRi  as  follows.  MR  is  obtained  by  interleaving  the  t 
bytes  of  ME  with  t redundant  bytes  and  then  adjusting  byte  MR2z  of  the  resulting 
string.  More  precisely,  MR2z_i  = MEi  and  MR2z  = S{MEf)  for  1 < i < t,  where 
S(u)  is  called  the  shadow  function  of  the  byte  u,  and  is  defined  as  follows.  If  u = 
u2  |jrti  where  u±  and  u2  are  nibbles  (strings  of  bitlength  4),  then  S(u)  = Tt(u2)\\Tr(ui) 
where  7r  is  the  permutation 

_ ( 0 123456  78  9 A B C D E F \ 

358942F0DB6  7 A C l)' 

(For  brevity,  7t  is  written  with  nibbles  represented  by  hexadecimal  characters.)  Fi- 
nally, MR  is  obtained  by  replacing  MR2z  with  r 0 MR2z  ,5 

4.  truncation  and  forcing.  Form  the  fc-bit  intermediate  integer  IR  from  MR  as  follows: 

(a)  to  the  least  significant  k — 1 bits  of  MR,  append  on  the  left  a single  bit  1; 

(b)  modify  the  least  significant  byte  W2||ui  of  the  result,  replacing  it  by  ui  || 01 10. 

(This  is  done  to  ensure  that  IR  = 6 (mod  16).) 

®The  purpose  of  MR2z  is  to  permit  the  verifier  of  a signature  to  recover  the  length  d of  the  message.  Since 
d = Sz  — r + 1,  it  suffices  to  know  2 and  r.  These  values  can  be  deduced  from  MR. 
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5.  signature  production.  A signature  mechanism  is  used  which  maps  fc-bit  integers  to 
A;-bit  integers  (and  allows  message  recovery).  IR  is  signed  using  this  mechanism;  let 
s denote  the  resulting  signature. 

11.36  Note  (RSA,  Rabin)  ISO/IEC  9796  was  intended  for  use  with  the  RSA  (Algorithm  11.19)6 
and  Rabin  (Algorithm  11.25) 7 digital  signature  mechanisms.  For  these  particular  schemes, 
signature  production  is  stated  more  explicitly.  Let  e be  the  public  exponent  for  the  RSA  or 
Rabin  algorithms,  n the  modulus,  and  d the  private  exponent.  First  form  the  representative 
element  RR  which  is:  (i)  IR  if  e is  odd,  or  if  e is  even  and  the  Jacobi  symbol  of  IR  (treated 
as  an  integer)  with  respect  to  the  modulus  nisi;  (ii)  IR/ 2 if  e is  even  and  the  J acobi  symbol 
of  IR  with  respect  to  n is  — 1.  The  signature  for  miss  = (RR)'1  mod  n.  ISO/IEC  9796 
specifies  that  the  signature  s should  be  the  lesser  of  (RR)d  mod  n and  n — ((RR)d  mod  n). 

(ii)  Verification  process  for  ISO/IEC  9796 

The  verification  process  for  an  ISO/IEC  9796  digital  signature  can  be  separated  into  three 
stages,  as  per  Figure  11.5(b). 

1.  signature  opening.  Let  s be  the  signature.  Then  the  following  steps  are  performed. 

(a)  Apply  the  public  verification  transformation  to  s to  recover  an  integer  IR'. 

(b)  Reject  the  signature  if  IR'  is  not  a string  of  k bits  with  the  most  significant  bit 
being  a 1,  or  if  the  least  significant  nibble  does  not  have  value  0110. 

2.  message  recovery.  A string  MR'  of  2t  bytes  is  constructed  from  IR'  by  performing 
the  following  steps. 

(a)  Let  X be  the  least  significant  k 1 bits  of  Hi'. 

(b)  If  1*4 1|  1*3 1| 1| 01 10  are  the  four  least  significant  nibbles  of  X,  replace  the  least 

significant  byte  of  X by  {u^\ \\u2. 

(c)  MR'  is  obtained  by  padding  X with  between  0 and  15  zero  bits  so  that  the  re- 
sulting string  has  2t  bytes. 

The  values  z and  r are  computed  as  follows. 

(a)  From  the  2t  bytes  of  MR',  compute  the  t.  sums  MR'2i  ®S(MR2i_1),  1 < % < t. 
If  all  sums  are  0,  reject  the  signature. 

(b)  Let  z be  the  smallest  value  of  i for  which  MR2i  © S(MR'2i_1)  7^  0. 

(c)  Let  r be  the  least  significant  nibble  of  the  sum  found  in  step  (b).  Reject  the 
signature  if  the  hexadecimal  value  of  r is  not  between  1 and  8. 

From  MR',  the  z-byte  string  MP'  is  constructed  as  follows. 

(a)  MP\  = MR2i_1  for  1 < i < z. 

(b)  Reject  the  signature  if  the  r — 1 most  significant  bits  of  MP'  are  not  all  0’s. 

(c)  Let  M'  be  the  8z  — r + 1 least  significant  bits  of  MP' . 

3.  redundancy  checking.  The  signature  s is  verified  as  follows. 

(a)  From  M'  construct  a string  MR"  by  applying  the  message  padding,  message 
extension,  and  message  redundancy  steps  of  the  signing  process. 

(b)  Accept  the  signature  if  and  only  if  the  k — 1 least  significant  bits  of  MR"  are 
equal  to  the  k 1 least  significant  bits  of  MR'. 


6 Since  steps  1 through  4 of  the  signature  process  describe  the  redundancy  function  R.  rh  in  step  la  of  Algo- 
rithm  11.19  is  taken  to  be  IR. 

7rh  is  taken  to  be  IR  in  step  1 of  Algorithm  11.25. 
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11.3.6  PKCS#1  formatting 

Public-key  cryptography  standards  (PKCS)  are  a suite  of  specifications  which  include  tech- 
niques for  RSA  encryption  and  signatures  (see  §15.3.6).  This  subsection  describes  the  dig- 
ital signature  process  specified  in  PKCS  #1  (“RSA  Encryption  Standard”). 

The  digital  signature  mechanism  in  PKCS  #1  does  not  use  the  message  recovery  feature 
of  the  RSA  signature  scheme.  It  requires  a hashing  function  (either  MD2,  or  MD5  — see 
Algorithm  9.51)  and,  therefore,  is  a digital  signature  scheme  with  appendix.  Table  11.4  lists 
notation  used  in  this  subsection.  Capital  letters  refer  to  octet  strings.  If  X is  an  octet  string, 
then  X,  is  octet  i counting  from  the  left. 


Symbol 

Meaning 

Symbol 

Meaning 

k 

the  length  of  n in  octets  (k  > 11) 

EB 

encryption  block 

n 

the  modulus,  28^fc_1^  < n < 28k 

ED 

encrypted  data 

P Q 

the  prime  factors  of  n 

octet 

a bitstring  of  length  8 

e 

the  public  exponent 

ab 

hexadecimal  octet  value 

d 

the  private  exponent 

BT 

block  type 

M 

message 

PS 

padding  string 

MD 

message  digest 

S 

signature 

MD' 

comparative  message  digest 

m 

length  of  X in  octets 

Table  1 1.4:  PKCS  #1  notation. 


(i)  PKCS  #1  data  formatting 

The  data  is  an  octet  string  D,  where  ||D||  < k — 11.  BT  is  a single  octet  whose  hexadecimal 
representation  is  either  00  or  01.  PS  is  an  octet  string  with  ||PS||  = k 3 | D|  . IfBT  = 00, 
then  all  octets  in  PS  are  00;  if  BT  = 01,  then  all  octets  in  PS  are  ff.  The  formatted  data  block 
(called  the  encryption  block ) is  EB  = 00  ||BT||PS  ||  00  ||D. 

11.37  Note  (data  formatting  rationale) 

(i)  The  leading  00  block  ensures  that  the  octet  string  EB,  when  interpreted  as  an  integer, 
is  less  than  the  modulus  n. 

(ii)  If  the  block  type  is  BT  = 00,  then  either  D must  begin  with  a non-zero  octet  or  its 
length  must  be  known,  in  order  to  permit  unambiguous  parsing  of  EB. 

(iii)  IfBT  = 01,  then  unambiguous  parsing  is  always  possible. 

(iv)  For  the  reason  given  in  (iii),  and  to  thwart  certain  potential  attacks  on  the  signature 
mechanism,  BT  = 01  is  recommended. 

11.38  Example  ( PKCS  #1  data  formatting  for  particular  values)  Suppose  that  n is  a 1024-bit 

modulus  (so  k = 128).  If  ||D||  = 20  octets,  then  ||PS ||  = 105  octets,  and  1 1 EB 1 1 = 128 
octets.  □ 

(ii)  Signature  process  for  PKCS  #1 

The  signature  process  involves  the  steps  as  per  Figure  11.6(a). 

The  input  to  the  signature  process  is  the  message  M,  and  the  signer’s  private  exponent  d 
and  modulus  n. 

1.  message  hashing.  Hash  the  message  M using  the  selected  message-digest  algorithm 
to  get  the  octet  string  MD. 
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(a)  PKCS  #1  signature  process  (b)  PKCS  #1  verification  process 


Message 

I 


Signature 


Signature  and  Message 

I 

Octet-string-to-integer 

conversion 

YES  NO 

RSA  computation 


Integer-to-octet-string 

conversion 


Parsing 

YES  NO 

Data  decoding 


YES 


NO 


Message  digesting 
and 

comparison 


_ YES 
Signature  accepted 


NO 


REJECT 


REJECT 


REJECT 


REJECT 


Figure  11.6:  Signature  and  verification  processes  for  PKCS  #1. 


2.  message  digest  encoding.  MD  and  the  hash  algorithm  identifier  are  combined  into 
an  ASN.l  ( abstract  syntax  notation)  value  and  then  BER-encoded  ( basic  encoding 
rules ) to  give  an  octet  data  string  D. 

3.  data  block  formatting.  With  data  string  input  D,  use  the  data  formatting  from 
§ 1 1 ,3.6(i)  to  form  octet  string  EB. 

4.  octet-string-to-integer  conversion.  Let  the  octets  of  EB  be  EB  1 1 1 EB  2 1 1 ■ ■ ■ |jEB;,.  De- 

fine EB,  to  be  the  integer  whose  binary  representation  is  the  octet  EB,:  (least  signifi- 
cant bit  is  on  the  right).  The  integer  representing  EB  is  to  = 28(fe~*)EBj.  8 

5.  RSA  computation.  Compute  s = md  mod  n. 

6.  integer-to-octet-string  conversion.  Convert  s to  an  octet  string  ED  = EDi  ||ED2  ||  ■ ■ ■ 
||EDfc,  where  the  octets  ED,  satisfy  s = ffll  1 2817'  d ED,.  The  signature  is  S = ED. 

(iii)  Verification  process  for  PKCS  #1 

The  verification  process  involves  the  steps  as  per  Figure  11.6(b).  The  input  to  the  verifica- 
tion process  is  the  message  M,  the  signature  S,  the  public  exponent  e,  and  modulus  n. 

1.  octet-string-to-integer  conversion. 

(a)  Reject  S if  the  bitlength  of  S is  not  a multiple  of  8. 

8 Since  EBi  = 00  and  n > 2s(k-1'> , then  0 < m < n. 
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(b)  Convert  S to  an  integer  s as  in  step  4 of  the  signature  process. 

(c)  Reject  the  signature  if  s > n. 

2.  RSA  computation.  Compute  m = se  mod  n. 

3.  integer-to-octet-string  conversion.  Convert  m to  an  octet  string  EB  of  length  k octets 
as  in  step  6 of  the  signature  process. 

4.  parsing.  Parse  EB  into  a block  type  BT,  a padding  string  PS,  and  the  data  D. 

(a)  Reject  the  signature  if  EB  cannot  be  parsed  unambiguously. 

(b)  Reject  the  signature  if  BT  is  not  one  of  00  or  01. 

(c)  Reject  the  signature  if  PS  consists  of  < 8 octets  or  is  inconsistent  with  BT. 

5.  data  decoding. 

(a)  BER-decode  D to  get  a message  digest  MD  and  a hash  algorithm  identifier. 

(b)  Reject  the  signature  if  the  hashing  algorithm  identifier  does  not  identify  one  of 
MD2  or  MD5. 

6.  message  digesting  and  comparison. 

(a)  Hash  the  message  M with  the  selected  message-digest  algorithm  to  get  MD'. 

(b)  Accept  the  signature  S on  M if  and  only  if  MD'  = MD. 


11.4  Fiat-Shamir  signature  schemes 

As  described  in  Note  10.30,  any  identification  scheme  involving  a witness-challenge  resp- 
onse sequence  can  be  converted  to  a signature  scheme  by  replacing  the  random  challenge  of 
the  verifier  with  a one-way  hash  function.  This  section  describes  two  signature  mechanisms 
which  arise  in  this  way.  The  basis  for  this  methodology  is  the  Fiat-Shamir  identification 
protocol  (Protocol  10.24). 


1 1 .4.1  Feige-Fiat-Shamir  signature  scheme 

The  Feige-Fiat-Shamir  signature  scheme  is  a modification  of  an  earlier  signature  scheme 
of  Fiat  and  Shamir,  and  requires  a one-way  hash  function  h : {0,1}*  — > {0,  l}fr  for  some 
fixed  positive  integer  k.  Here  {0,  l}fc  denotes  the  set  ofbitstrings  ofbitlength  k,  and  {0,1}* 
denotes  the  set  of  all  bitstrings  (of  arbitrary  bitlengths).  The  method  provides  a digital  sig- 
nature with  appendix,  and  is  a randomized  mechanism. 


1 1 .39  Algorithm  Key  generation  for  the  Feige-Fiat-Shamir  signature  scheme 

SUMMARY:  each  entity  creates  a public  key  and  corresponding  private  key. 

Each  entity  A should  do  the  following: 

1 . Generate  random  distinct  secret  primes  p,  q and  form  n = pq. 

2.  Select  a positive  integer  k and  distinct  random  integers  .si,  .s2.. . . . s <=  Z* . 

3.  Compute  vj  = sj 2 mod  n,  1 < j < k. 

4.  A’s  public  key  is  the  fc-tuple  (ui,i>2,  ■ ■ ■ , V]f)  and  the  modulus  n\  A’s  private  key  is 
the  k -tuple  (si,  S2,  ■ ■ ■ , fife). 
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11.40  Algorithm  Feige-Fiat-Shamir  signature  generation  and  verification 

SUMMARY:  entity  A signs  a binary  message  to  of  arbitrary  length.  Any  entity  B can  verify 
this  signature  by  using  A’s  public  key. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Select  a random  integer  r,  1 < r < n — 1. 

(b)  Compute  u = r2  mod  n. 

(c)  Compute  e = (ei,  . . . , e;.)  = h(rn\\u)\  each  e,j  G {0, 1}. 

(d)  Compute  s = r ■ n.ti  s7  mod  n. 

(e)  A’s  signature  for  to  is  (e,  s). 

2.  Verification.  To  verify  A's  signature  (e,  s)  on  to,  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  (vi,V2,.  ■ ■ ,Vk)  and  n. 

(b)  Compute  w = s2  ' nil  v7  mod  n. 

(c)  Compute  e'  = h(rn\\w). 

(d)  Accept  the  signature  if  and  only  if  e = e’. 


Proof  that  signature  verification  works. 

w = s2  ■ Vj1  =:  r2  • s2^3  v^3  = r2  • )Gj  = r2  = u (mod  n ). 

j - i j= 1 i=1  3= 1 

Hence,  w = u and  therefore  e = e' . 

1 1 .41  Example  ( Feige-Fiat-Shamir  signature  generation  with  artificially  small  parameters ) 

Key  generation.  Entity  A generates  primes  p = 3571,  q = 4523,  and  computes  n = pq  = 
16151633.  The  following  table  displays  the  selection  of  Sj  (A’s  private  key)  and  integers 
Vj  (A’s  public  key)  along  with  intermediate  values  sj1. 


j 

1 

2 

3 

4 

5 

s3 

42 

73 

85 

101 

150 

sj1  mod  n 

4999315 

885021 

6270634 

13113207 

11090788 

vj  = s~2  mod  n 

503594 

4879739 

7104483 

1409171 

6965302 

Signature  generation.  Suppose  h : {0,1}*  — > {0,  l}5  is  a hash  function.  A selects  a ran- 
dom integer  r = 23181  and  computes  u = r2  mod  n = 4354872.  To  sign  message  to,  A 
evaluates  e = h(m\\u)  = 10110  (the  hash  value  has  been  contrived  for  this  example).  A 
forms  s = rs1.s3.s4  mod  n = (23181)(42)(85)(101)  mod  n = 7978909;  the  signature  for 
to  is  (e  = 10110,  s — 7978909). 

Signature  verification.  B computes  s2  mod  n = 2926875  and  V1V3V4  mod  n = (503594) 
(7104483)(1409171)  mod  n = 15668174.  B then  computes  w = s2v\V3V4  mod  n = 
4354872.  Since  w = u,  it  follows  that  e!  = h(rn\\w)  = h(m\\u)  = e and,  hence,  B ac- 
cepts the  signature.  □ 

1 1 .42  Note  ( security  of  Feige-Fiat-Shamir  signature  scheme) 

(i)  Unlike  the  RSA  signature  scheme  (Algorithm  11.19),  all  entities  may  use  the  same 
modulus  n (cf.  §8.2.2(vi)).  In  this  scenario,  a trusted  third  party  (TTP)  would  need 
to  generate  the  primes  p and  q and  also  public  and  private  keys  for  each  entity. 
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(ii)  The  security  of  the  Feige-Fiat-Shamir  scheme  is  based  on  the  intractability  of  com- 
puting square  roots  modulo  n (see  §3.5.2).  It  has  been  proven  to  be  secure  against  an 
adaptive  chosen-message  attack,  provided  that  factoring  is  intractable,  h is  a random 
function,  and  the  sfs  are  distinct. 

1 1 .43  Note  (parameter  selection  and  key  storage  requirements ) If  n is  a 7-bit  integer,  the  private 
key  constructed  in  Algorithm  1 1 .39  is  kt  bits  in  size.  This  may  be  reduced  by  selecting  the 
random  values  Sj,  1 < j < k,  as  numbers  of  bitlength  t'  < t;  t' , however,  should  not  be 
chosen  so  small  that  guessing  the  sj  is  feasible.  The  public  key  is  ( k + l)t  bits  in  size.  For 
example,  if  7 = 768  and  k — 128,  then  the  private  key  requires  98304  bits  and  the  public 
key  requires  99072  bits. 

11.44  Note  ( identity-based  Feige-Fiat-Shamir  signatures)  Suppose  a TTP  constructs  primes  p 
and  q and  modulus  n\  the  modulus  is  common  to  all  entities  in  the  system.  Algorithm  11.39 
can  be  modified  so  that  the  scheme  is  identity-based.  Entity  A’s  bitstring  I \ contains  in- 
formation which  identifies  A.  The  TTP  computes  vj  = / (Ti  1 1 j ) , 1 < j < k,  where  / is 
a one-way  hash  function  from  {0, 1}*  to  Qn  and  j is  represented  in  binary,  and  computes 
a square  root  Sj  of  vj1  modulo  n,  1 < j < k.  A\  public  key  is  simply  the  identity  infor- 
mation I a,  while  A’s  private  key  (transported  securely  and  secretly  by  the  TTP  to  A)  is  the 
&-tuple  («!,  «2,  ■ ■ ■ , Sfc)-  The  functions  h,  /,  and  the  modulus  n are  system- wide  quantities. 

This  procedure  has  the  advantage  that  the  public  key  generated  in  Algorithm  11.39 
might  be  generated  from  a smaller  quantity  I a,  potentially  reducing  the  storage  and  trans- 
mission cost.  It  has  the  disadvantages  that  the  private  keys  of  entities  are  known  to  the  TTP, 
and  the  modulus  n is  system- wide,  making  it  a more  attractive  target. 

1 1 .45  Note  (small  prime  variation  of  Feige-Fiat-Shamir  signatures)  This  improvement  aims  to 
reduce  the  size  of  the  public  key  and  increase  the  efficiency  of  signature  verification.  Unlike 
the  modification  described  in  Note  1 1 .44,  each  entity  A generates  its  own  modulus  tia  and 
a set  of  k small  primes  v\ , V2 , ■ ■ ■ ,V),  £ Qn  (each  prime  will  require  around  2 bytes  to 
represent).  Entity  A selects  one  of  the  square  roots  sj  of  v-  1 modulo  n for  each  j,  1 < j < 
k\  these  form  the  private  key.  The  public  key  consists  of  ua  and  the  values  V\,  V2, . . . , Vk- 
Verification  of  signatures  proceeds  more  efficiently  since  computations  are  done  with  much 
smaller  numbers. 

1 1 .46  Note  (performance  characteristics  of  Feige-Fiat-Shamir  signatures)  With  the  RSA  sch- 
eme and  a modulus  of  length  t = 768,  signature  generation  using  naive  techniques  re- 
quires, on  average,  1152  modular  multiplications  (more  precisely,  768  squarings  and  384 
multiplications).  Signature  generation  for  the  Feige-Fiat-Shamir  scheme  ( Algorithm  1 1 .40) 
requires,  on  average,  k/ 2 modular  multiplications.  To  sign  a message  with  this  scheme,  a 
modulus  of  length  t — 768  and  k — 128  requires,  on  average,  64  modular  multiplications, 
or  less  than  6%  of  the  work  required  by  a naive  implementation  of  RSA.  Signature  verifi- 
cation requires  only  one  modular  multiplication  for  RSA  if  the  public  exponent  is  e = 3, 
and  64  modular  multiplications,  on  average,  for  Feige-Fiat-Shamir.  For  applications  where 
signature  generation  must  be  performed  quickly  and  key  space  storage  is  not  limited,  the 
Feige-Fiat-Shamir  scheme  (or  DSA-like  schemes  — see  §11.5)  may  be  preferable  to  RSA. 
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11.4.2  GQ  signature  scheme 

The  Guillou-Quisquater  (GQ)  identification  protocol  (§10.4.3)  can  be  turned  into  a digital 
signature  mechanism  (Algorithm  11.48)  if  the  challenge  is  replaced  with  a one-way  hash 
function.  Let  h:  {0, 1}*  — > Zn  be  a hash  function  where  n is  a positive  integer. 


1 1 .47  Algorithm  Key  generation  for  the  GQ  signature  scheme 

SUMMARY:  each  entity  creates  a public  key  (n.  e,  J \)  and  corresponding  private  key  a. 
Entity  A should  do  the  following: 

1.  Select  random  distinct  secret  primes  p,  q and  form  n = pq. 

2.  Select  an  integer  e G {1,  2, . . . , n — 1}  such  that  gcd(e,  ( p — l)(q  — 1))  = 1.  (See 
Note  11.50  for  guidance  on  selecting  e.) 

3.  Select  an  integer  J a , 1 < Ja  < n,  which  serves  as  an  identifier  for  A and  such  that 
gcd(  JA,n)  = I-  (The  binary  representation  of  Ja  could  be  used  to  convey  informa- 
tion about  A such  as  name,  address,  driver’s  license  number,  etc.) 

4.  Determine  an  integer  a € Z„  such  that  J^oe  s 1 (mod  n)  as  follows: 

4.1  Compute  Jff1  mod  n. 

4.2  Compute  d\  = e_1  mod  (p  — 1)  and  d2  = e_1  mod  ( q — 1). 

4.3  Compute  ai  = (JJ1)^1  modp  and  o2  = (JJ1)6*2  mod  q. 

4.4  Find  a solution  a to  the  simultaneous  congruences  a = a-i  (mod  p),  a = o2 

(mod  q). 

5.  A’s  public  key  is  (n,  e,  Ja)',  A’s  private  key  is  a. 


11.48  Algorithm  GQ  signature  generation  and  verification 

SUMMARY:  entity  A signs  a binary  message  m of  arbitrary  length.  Any  entity  B can  verify 
this  signature  by  using  A’s  public  key. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Select  a random  integer  k and  compute  r = ke  mod  n. 

(b)  Compute  l = h(rn\\r). 

(c)  Compute  s = ka!  mod  n. 

(d)  A’s  signature  for  m is  the  pair  (s,  l). 

2.  Verification.  To  verify  ,4's  signature  (s.  1)  on  m,  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  (n.  e,  Ja). 

(b)  Compute  u = se  Ja1  mod  n and  l'  = h(m\\u). 

(c)  Accept  the  signature  if  and  only  if  1 = 1'. 


Proof  that  signature  verification  works.  Note  that  u = s£Ja1  = ( kal)eJAl  = ke(aeJA)1 
= ke  = r (mod  n).  Hence,  u = r and  therefore  l = V . 

11.49  Example  ( GQ  signature  generation  with  artificially  small  parameters) 

Key  generation.  Entity  A chooses  primes  p = 20849,  q = 27457,  and  computes  n = pq  = 
572450993.  A selects  an  integer  e = 47,  an  identifier  Ja  — 1091522,  and  solves  the  con- 
gruence Jao?  = 1 (mod  n)  to  get  a = 214611724.  A’s  public  key  is  (n  = 572450993, 
e = 47,  Ja  = 1091522),  while  A’s  private  key  is  a = 214611724. 

Signature  generation.  To  sign  the  message  m = 1101110001,  A selects  a random  integer 
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k = 42134  and  computes  r = ke  mod  n = 297543350.  A then  computes  l = h(m\\r)  = 
2713833  (the  hash  value  has  been  contrived  for  this  example)  and  s = kal  mod  n = 
(42134)2146117242713833  mod  n = 252000854.  A’s  signature  for  m is  the  pair  (s  = 
252000854,  l = 2713833). 

Signature  verification.  B computes  se  mod  n = 25200085447  mod  n = 398641962, 
Ja  mod  n = 10915222713833  mod  n = 110523867,  and  finally  u = scJa  mod  n = 
297543350.  Since  u = r,V  = h(m\\u)  = h(m\\r)  = l , and  so  B accepts  the  signature.  □ 

1 1 .50  Note  ( security  ofGQ  signature  scheme)  In  Algorithm  1 1 .47,  e must  be  sufficiently  large  to 
exclude  the  possibility  of  forgery  based  on  the  birthday  paradox  (see  §2.1.5).  The  potential 
attack  proceeds  along  the  following  lines.  The  adversary  selects  a message  m and  computes 
l = h(m\\  Ja*)  for  sufficiently  many  values  of  t until  l = t (mod  e);  this  is  expected  to 
occur  within  0(  /e)  trials.  Having  determined  such  a pair  (7.  t),  the  adversary  determines 
an  integer  x such  that  t = xe  + l and  computes  s = Ja  mod  n.  Observe  that  se  Ja1  = 
{Jax)cJa  = Jaxc+1  = Ja*  (mod  n),  and,  hence,  h(m\\  Ja*)  = l ■ Thus,  (s,  l ) is  a valid 
(forged)  signature  for  message  m. 

1 1 .51  Note  (parameter  selection ) Current  methods  (as  of  1996)  for  integer  factorization  suggest 
that  a modulus  n of  size  at  least  768  bits  is  prudent.  Note  1 1 .50  suggests  that  e should  be  at 
least  128  bits  in  size.  Typical  values  for  the  outputs  of  secure  hash  functions  are  128  or  160 
bits.  With  a 768-bit  modulus  and  a 128-bit  e,  the  public  key  for  the  GQ  scheme  is  896  + u 
bits  in  size,  where  u is  the  number  of  bits  needed  to  represent  J \ . The  private  key  a is  768 
bits  in  size. 

1 1 .52  Note  (performance  characteristics  ofGQ  signatures)  Signature  generation  for  GQ  (Algo- 
rithm 1 1 .48)  requires  two  modular  exponentiations  and  one  modular  multiplication.  Using  a 
768-bit  modulus  n,  a 128-bit  value  e,  and  a hash  function  with  a 128-bit  output  l,  signature 
generation  (using  naive  techniques  for  exponentiation)  requires  on  average  384  modular 
multiplications  (128  squarings  and  64  multiplications  for  each  of  e and  l).  Signature  veri- 
fication requires  a similar  amount  of  work.  Compare  this  with  RSA  (naively  1152  modular 
multiplications)  and  Feige-Fiat-Shamir  (64  modular  multiplications)  for  signature  genera- 
tion (see  Note  11.46).  GQ  is  computationally  more  intensive  than  Feige-Fiat-Shamir  but 
requires  significantly  smaller  key  storage  space  (see  Note  11.51). 

11.53  Note  (message  recovery  variant  ofGQ  signatures)  Algorithm  11.48  can  be  modified  as 
follows  to  provide  message  recovery.  Let  the  signing  space  be  Ms  = Z„,  and  let  m £ 
Ms-  In  signature  generation,  select  a random  k such  that  gcdffc.  n)  = 1 and  compute 
r = ke  mod  n and  l = mr  mod  n.  The  signature  is  s = kal  mod  n.  Verification  gives 
seJAl  = keael Ja  = ke  = r (mod  n).  Message  m is  recovered  from  Ir mod  n.  As 
for  all  digital  signature  schemes  with  message  recovery,  a suitable  redundancy  function  R 
is  required  to  guard  against  existential  forgery. 


11.5  The  DSA  and  related  signature  schemes 

This  section  presents  the  Digital  Signature  Algorithm  (DSA)  and  several  related  signature 
schemes.  Most  of  these  are  presented  over  Z*  for  some  large  prime  p,  but  all  of  these  mech- 
anisms can  be  generalized  to  any  finite  cyclic  group;  this  is  illustrated  explicitly  for  the  El- 
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Gamal  signature  scheme  in  §11.5.2.  All  of  the  methods  discussed  in  this  section  are  ran- 
domized digital  signature  schemes  (see  Definition  11.2).  All  give  digital  signatures  with 
appendix  and  can  be  modified  to  provide  digital  signatures  with  message  recovery  (see 
Note  11.14).  A necessary  condition  for  the  security  of  all  of  the  signature  schemes  described 
in  this  section  is  that  computing  logarithms  in  Z*  be  computationally  infeasible.  This  con- 
dition, however,  is  not  necessarily  sufficient  for  the  security  of  these  schemes;  analogously, 
it  remains  unproven  that  RSA  signatures  are  secure  even  if  factoring  integers  is  hard. 


1 1 .5.1  The  Digital  Signature  Algorithm  (DSA) 

In  August  of  1991,  the  U.S.  National  Institute  of  Standards  and  Technology  (NIST)  pro- 
posed a digital  signature  algorithm  (DSA).  The  DSA  has  become  a U.S.  Federal  Informa- 
tion Processing  Standard  (FIPS  186)  called  the  Digital  Signature  Standard  (DSS),  and  is  the 
first  digital  signature  scheme  recognized  by  any  government.  The  algorithm  is  a variant  of 
the  ElGamal  scheme  (§11.5.2),  and  is  a digital  signature  scheme  with  appendix. 

The  signature  mechanism  requires  a hash  function  h : {0, 1}*  — > 7Lq  for  some  inte- 
ger q.  The  DSS  explicitly  requires  use  of  the  Secure  Hash  Algorithm  (SHA-1),  given  by 
Algorithm  9.53. 


11.54  Algorithm  Key  generation  for  the  DSA 

SUMMARY:  each  entity  creates  a public  key  and  corresponding  private  key. 

Each  entity  A should  do  the  following: 

1.  Select  a prime  number  q such  that  2159  < q < 2160. 

2.  Choose  t.  so  that  0 < t.  < 8,  and  select  a prime  number  p where  2511+64t  < p < 
2512+64 1,  wjtj1  ,-^g  pr0perty  that  q divides  ( p — 1). 

3.  (Select  a generator  a of  the  unique  cyclic  group  of  order  q in  zp 

3.1  Select  an  element  jeZ*  and  compute  a = g^lih  mod  p. 

3.2  If  a = 1 then  go  to  step  3.1. 

4.  Select  a random  integer  a such  that  1 < a < q — 1. 

5.  Compute  y = aa  mod  p. 

6.  A’s  public  key  is  (p,  q,  a,  y)\  A’s  private  key  is  a. 


1 1 .55  Note  ( generation  of  DSA  primes  p and  q)  In  Algorithm  1 1 .54  one  must  select  the  prime  q 
first  and  then  try  to  find  a prime  p such  that  q divides  (p  — 1).  The  algorithm  recommended 
by  the  DSS  for  accomplishing  this  is  Algorithm  4.56. 


11.56  Algorithm  DSA  signature  generation  and  verification 

SUMMARY:  entity  A signs  a binary  message  m of  arbitrary  length.  Any  entity  13  can  verify 
this  signature  by  using  A’s  public  key. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Select  a random  secret  integer  k,  0 < k < q. 

(b)  Compute  r = ( ak  mod  p)  mod  q (e.g.,  using  Algorithm  2.143). 

(c)  Compute  k mod  q (e.g.,  using  Algorithm  2.142). 

(d)  Compute  s = k^l{h{m)  + ar}  mod  q. 

(e)  A’s  signature  for  m is  the  pair  (r,  s). 
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2.  Verification.  To  verify  A’s  signature  (r,  s)  on  m,  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  (p,  q,  a,  y ). 

(b)  Verify  that  0 < r < q and  0 < s < q\  if  not,  then  reject  the  signature. 

(c)  Compute  w = s mod  q and  h(m). 

(d)  Compute  u\  = w ■ h(m)  mod  q and  u2  = rw  mod  q. 

(e)  Compute  v = ( aUl  yu 2 mod  p)  mod  q. 

(f)  Accept  the  signature  if  and  only  if  v = r. 


Proof  that  signature  verification  works.  If  (r,  s)  is  a legitimate  signature  of  entity  A on 
message  m , then  h(m)  = —ar  + ks  (mod  q)  must  hold.  Multiplying  both  sides  of  this 
congruence  by  w and  rearranging  gives  w ■ h(m)  + arw  = k (mod  q).  But  this  is  simply 
ui  + au2  = k (mod  q).  Raising  a to  both  sides  of  this  equation  yields  ( aUlyu 2 mod 
p)  mod  q = ( ak  mod  p)  mod  q.  Hence,  v = r,  as  required. 

1 1 .57  Example  (DSA  signature  generation  with  artificially  small  parameters) 

Key  generation.  A selects  primes  p = 124540019  and  q = 17389  such  that  q divides  (p  — 
1);  here,  (p  — 1 )/q  = 7162.  A selects  a random  element  g = 110217528  € Z*  and  com- 
putes a = g‘162  mod  p = 10083255.  Since  a / 1,  a is  a generator  for  the  unique  cyclic 
subgroup  of  order  q in  Z*.  A next  selects  a random  integer  a = 12496  satisfying  1 < a < 
q-  1,  and  computes  y = aa  mod  p = 100  8 3 2 5 512496  mod  124540019  = 119946265. 
A’ s public  key  is  (p  = 124540019,  q = 17389,  a = 10083255,  y = 119946265),  while 
A’s  private  key  is  a = 12496. 

Signature  generation.  To  sign  m,  A selects  a random  integer  k = 9557,  and  computes  r = 
(ak  mod  p)  mod  q = (100  8 3 2 559557  mod  124540019)  mod  17389  = 27039929  mod 
17389  = 34.  A then  computes  A;-1  mod  q = 7631,  h(m)  = 5246  (the  hash  value  has  been 
contrived  for  this  example),  and  finally  s = (7631){5246+(12496)(34)}  mod  q = 13049. 
The  signature  for  m is  the  pair  (r  *=  34,  s = 13049). 

Signature  verification.  B computes  w = mod  q = 1799,  u\  = w • h{m)  mod 
q = (5246) (1799)  mod  17389  = 12716,  and  u2  = rw  mod  q = (34) (1799)  mod 
17389  = 8999.  B then  computes  v = (aUl  yU2  mod  p)  mod  q = (1008325512716  • 
11994626589"  mod  124540019)  mod  17389  = 27039929  mod  17389  = 34.  Since  v = 

r,  B accepts  the  signature.  □ 

1 1 .58  Note  ( security  of  DSA)  The  security  of  the  DSA  relies  on  two  distinct  but  related  discrete 
logarithm  problems.  One  is  the  logarithm  problem  in  z;  where  the  powerful  index-calculus 
methods  apply;  the  other  is  the  logarithm  problem  in  the  cyclic  subgroup  of  order  q,  where 
the  best  current  methods  run  in  “square-root”  time.  For  further  discussion,  see  §3.6.6.  Since 
the  DSA  is  a special  case  of  ElGamal  signatures  (§11.5.2)  with  respect  to  the  equation  for 

s , security  considerations  for  the  latter  are  pertinent  here  (see  Note  11.66). 

11.59  Note  ( recommended  parameter  sizes)  The  size  of  q is  fixed  by  Algorithm  11.54  (as  per 
FIPS  186)  at  160  bits,  while  the  size  of  p can  be  any  multiple  of  64  between  512  and  1024 
bits  inclusive.  A 5 12-bit  prime  p provides  marginal  security  against  a concerted  attack.  As 
of  1996,  a modulus  of  at  least  768  bits  is  recommended.  FIPS  186  does  not  permit  primes 
p larger  than  1024  bits. 

1 1 .60  Note  ( performance  characteristics  of  the  DSA)  For  concreteness,  suppose  p is  a 768-bit 
integer.  Signature  generation  requires  one  modular  exponentiation,  taking  on  average  (us- 
ing naive  techniques  for  exponentiation)  240  modular  multiplications,  one  modular  inverse 
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with  a 160-bit  modulus,  two  160-bit  modular  multiplications,  and  one  addition.  The  160-bit 
operations  are  relatively  minor  compared  to  the  exponentiation.  The  DS  A has  the  advantage 
that  the  exponentiation  can  be  precomputed  and  need  not  be  done  at  the  time  of  signature 
generation.  By  comparison,  no  precomputation  is  possible  with  the  RSA  signature  scheme. 
The  major  portion  of  the  work  for  signature  verification  is  two  exponentiations  modulo  p, 
each  to  160-bit  exponents.  On  average,  these  each  require  240  modular  multiplications  or 
480  in  total.  Some  savings  can  be  realized  by  doing  the  two  exponentiations  simultaneously 
(cf.  Note  14.91);  the  cost,  on  average,  is  then  280  modular  multiplications. 

1 1 .61  Note  ( system-wide  parameters ) It  is  not  necessary  for  each  entity  to  select  its  own  primes 
p and  q.  The  DSS  permits  p,  q,  and  a to  be  system-wide  parameters.  This  does,  however, 
present  a more  attractive  target  for  an  adversary. 

11.62  Note  (probability  of  failure)  Verification  requires  the  computation  of  s_1  mod  q.  Ifs  — 0, 
then  .s  1 does  not  exist.  To  avoid  this  situation,  the  signer  may  check  that  s^O;  but  if  s is 
assumed  to  be  a random  element  in  Z9,  then  the  probability  that  s = 0 is  (tj)16(i.  In  practice, 
this  is  extremely  unlikely  ever  to  occur.  The  signer  may  also  check  that  r f 0.  If  the  signer 
detects  that  either  r = 0 or  s = 0,  a new  value  of  k should  be  generated. 


11.5.2  The  EIGamal  signature  scheme 

The  EIGamal  signature  scheme  is  a randomized  signature  mechanism.  It  generates  digital 
signatures  with  appendix  on  binary  messages  of  arbitrary  length,  and  requires  a hash  func- 
tion h:  {0, 1}*  — > Z p where  p is  a large  prime  number.  The  DSA  (§11.5.1)  is  a variant  of 
the  EIGamal  signature  mechanism. 


1 1 .63  Algorithm  Key  generation  for  the  EIGamal  signature  scheme 

SUMMARY:  each  entity  creates  a public  key  and  corresponding  private  key. 

Each  entity  A should  do  the  following: 

1 . Generate  a large  random  prime  p and  a generator  a of  the  multiplicative  group  Z* 
(using  Algorithm  4.84). 

2.  Select  a random  integer  a,  1 < a < p — 2. 

3.  Compute  y = aa  mod  p (e.g.,  using  Algorithm  2.143). 

4.  A’s  public  key  is  (p,  a,  y)\  A’s  private  key  is  a. 


11.64  Algorithm  EIGamal  signature  generation  and  verification 

SUMMARY:  entity  A signs  a binary  message  m of  arbitrary  length.  Any  entity  B can  verify 
this  signature  by  using  A’s  public  key. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Select  a random  secret  integer  k,  1 < k < p — 2,  with  gcd (k,p  — 1)  = 1. 

(b)  Compute  r = ak  mod  p (e.g.,  using  Algorithm  2.143). 

(c)  Compute  &_1  mod  (p  — 1)  (e.g.,  using  Algorithm  2.142). 

(d)  Compute  s = k^l{h{m)  — ar}  mod  (p  — 1). 

(e)  A’s  signature  for  m is  the  pair  (r,  s). 

2.  Verification.  To  verify  A’s  signature  (r,  s)  on  m , B should  do  the  following: 
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(a)  Obtain  A’s  authentic  public  key  (p,  a,  y). 

(b)  Verify  that  1 < r < p — 1;  if  not,  then  reject  the  signature. 

(c)  Compute  v\  = yrrs  mod  p. 

(d ) Compute  h(m)  and  v2  = ah(m^  mod  p. 

(e)  Accept  the  signature  if  and  only  if  v\  = v2. 


Proof  that  signature  verification  works.  If  the  signature  was  generated  by  A , then  s = fc-1 
{h{m)—ar}  (mod  p— 1).  Multiplying  both  sides  by  k gives  ks  = h{m)—ar  (mod  p—  1), 
and  rearranging  yields  h{m)  = ar  + ks  (mod  p — 1).  This  implies  ah^m'1  = aar+ks  = 
(a“)rrs  (mod  p).  Thus,  v\  = v2,  as  required. 

1 1 .65  Example  ( ElGamal  signature  generation  with  artificially  small  parameters) 

Key  generation.  A selects  the  prime  p = 2357  and  a generator  a = 2 of  Tf2:i-7.  A chooses 
the  private  key  a = 1751  and  computes  y = aa  mod  p = 21751  mod  2357  = 1185.  A’s 
public  key  is  (p  = 2357,  a = 2,  y = 1185). 

Signature  generation.  For  simplicity,  messages  will  be  integers  from  Zp  and  h(m)  = m 
(i.e.,  for  this  example  only,  take  h to  be  the  identity  function).  To  sign  the  message  m = 
1463,  A selects  a random  integer  k = 1529,  computes  r = ak  mod  p = 21529  mod 
2357  = 1490,  and  k ~4  mod  (p  — 1)  = 245.  Finally,  A computes  s = 245(1463  — 
1751(1490)}  mod  2356  = 1777.  A’s  signature  for  m = 1463  is  the  pair  (r  = 1490,  s = 
1777). 

Signature  verification.  B computes  v\  = 11851490  ■ 14901777  mod  2357  = 1072,  h(m ) = 
1463,  and  v2  = 21463  mod  2357  = 1072.  B accepts  the  signature  since  v\  = v2.  □ 

11.66  Note  (security  of  ElGamal  signatures) 

(i)  An  adversary  might  attempt  to  forge  A’s  signature  (per  Algorithm  11.64)  on  m by 
selecting  a random  integer  k and  computing  r = ak  mod  p.  The  adversary  must 
then  determine  s = k^1{h(m)—ar}  mod  (p  — 1).  If  the  discrete  logarithm  problem 
is  computationally  infeasible,  the  adversary  can  do  no  better  than  to  choose  an  s at 
random;  the  success  probability  is  only  which  is  negligible  for  large  p. 

(ii)  A different  k must  be  selected  for  each  message  signed;  otherwise,  the  private  key 

can  be  determined  with  high  probability  as  follows.  Suppose  sj  = fc_1{A(rai)  — 
or}  mod  (p  — 1)  and  s2  = — or}  mod  (p  — 1).  Then  (si  — s2)k  = 

(h(mi)  — h{m2))  (mod  p — 1).  If  — s2  ^ 0 (mod  p — 1),  then  k = («i  — 
s2 )_1  (h(mi)  — h(m2))  mod  (p  — 1).  Once  k is  known,  o is  easily  found. 

(iii)  If  no  hash  function  h is  used,  the  signing  equation  is  s = Av1  {m  — ar}  mod  (p  — 1). 
It  is  then  easy  for  an  adversary  to  mount  an  existential  forgery  attack  as  follows.  Se- 
lect any  pair  of  integers  ( u , v)  with  gcd(r,  p — 1)  = 1.  Compute  r = auyv  mod  p = 
au+av  mocj  p anc|  s — _ rv -1  mod  (p  — 1).  The  pair  (r,  s)  is  a valid  signature  for 
the  message  m = su  mod  (p  — 1),  since  (ama^ar)s  1 = auyv  = r. 

(iv)  Step  2b  in  Algorithm  1 1 .64  requires  the  verifier  to  check  that  0 < r < p.  If  this  check 
is  not  done,  then  an  adversary  can  sign  messages  of  its  choice  provided  it  has  one  valid 
signature  created  by  entity  A,  as  follows.  Suppose  that  (r,  .s)  is  a signature  for  mes- 
sage m produced  by  A.  The  adversary  selects  a message  m'  of  its  choice  and  com- 
putes h(rri')  and  u = h{m')-[h{m)]~l  mod  (p—1)  (assuming  [)i(to)]_1  mod  (p—  1) 
exists).  It  then  computes  s'  = su  mod  (p  — 1)  and  r'  such  that  r'  = ru  (mod  p — 1) 
and  r'  = r (mod  p).  The  latter  is  always  possible  by  the  Chinese  Remainder  The- 
orem (Fact  2.120).  The  pair  (r',  s')  is  a signature  for  message  m'  which  would  be 
accepted  by  the  verification  algorithm  (Algorithm  11.64)  if  step  2b  were  ignored. 
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1 1 .67  Note  (security  based  on  parameter  selection) 

(i)  ( index-calculus  attack ) The  prime  p should  be  sufficiently  large  to  prevent  efficient 
use  of  the  index-calculus  methods  (§3.6.5). 

(ii)  ( Pohlig-Hellman  attack ) p — 1 should  be  divisible  by  a prime  number  q sufficiently 
large  to  prevent  a Pohlig-Hellman  discrete  logarithm  attack  (§3.6.4). 

(iii)  ( weak  generators ) Suppose  that  p = 1 (mod  4)  and  the  generator  a satisfies  the 
following  conditions: 

(a)  a divides  (p  — 1);  and 

(b)  computing  logarithms  in  the  subgroup  S of  order  a in  Z*  can  be  efficiently  done 
(for  example,  if  a Pohlig-Hellman  attack  (§3.6.4)  can  be  mounted  in  S). 

It  is  then  possible  for  an  adversary  to  construct  signatures  (without  knowledge  of  H’s 
private  key)  which  will  be  accepted  by  the  verification  algorithm  (step  2 of  Algo- 
rithm 1 1 .64).  To  see  this,  suppose  thatp—  1 = aq.  To  sign  a message  m the  adversary 
does  the  following: 

(a)  Compute  t = (p  — 3)/2  and  set  r = q. 

(b)  Determine  z such  that  aqz  = yq  (mod  p)  where  y is  A’s  public  key.  (This  is 
possible  since  aq  and  yq  are  elements  of  S and  aq  is  a generator  of  S.) 

(c)  Compute  s = t ■ {h(m)  — qz}  mod  (p  — 1). 

(d)  (r,  s)  is  a signature  on  m which  will  be  accepted  by  step  2 of  Algorithm  1 1 .64. 

This  attack  works  because  the  verification  equation  rsyr  = ah^m'>  (mod  p)  is 
satisfied.  To  see  this,  first  observe  that  aq  s —1  (mod  p),  a = —q^1  (mod  p), 
and  that  q^P-D/2  = — i (mod  p).  (The  latter  congruence  follows  from  the  fact  that 
a is  a generator  of  Z*  and  q = —a^1  (mod  p).)  From  these,  one  deduces  that  q*  = 
qtp-D/Zq-t  = —q-1  = a (mod  p).  Now  rsyr  = (qt)\.h(m)~qz\yq  = ah^a^qzyq 
= ah(m',y~qyq  = ah(m^  (mod  p).  Notice  in  the  case  where  a = 2 is  a generator 
that  the  conditions  specified  in  (iii)  above  are  trivially  satisfied. 

The  attack  can  be  avoided  if  a is  selected  as  a generator  for  a subgroup  of  Z*  of  prime 
order  rather  than  a generator  for  Z*  itself. 

1 1 .68  Note  ( performance  characteristics  of  ElGamal  signatures ) 

(i)  Signature  generation  by  Algorithm  11.64  is  relatively  fast,  requiring  one  modu- 
lar exponentiation  ( ak  mod  p),  the  extended  Euclidean  algorithm  (for  computing 
k~l  mod  ( p — 1)),  and  two  modular  multiplications.  (Modular  subtraction  is  neg- 
ligible when  compared  with  modular  multiplication.)  The  exponentiation  and  appli- 
cation of  the  extended  Euclidean  algorithm  can  be  done  off-line,  in  which  case  sig- 
nature generation  (in  instances  where  precomputation  is  possible)  requires  only  two 
(on-line)  modular  multiplications. 

(ii)  Signature  verification  is  more  costly,  requiring  three  exponentiations.  Each  exponen- 
tiation (using  naive  techniques)  requires  |[lgp]  modular  multiplications,  on  aver- 
age, for  a total  cost  of  | flgp]  multiplications.  The  computing  costs  can  be  reduced 
by  modifying  the  verification  slightly.  Compute  v\  = a-h(m)yrrs  modp,  and  ac- 
cept the  signature  as  valid  if  and  only  if  iq  = 1.  Now,  v\  can  be  computed  more 
efficiently  by  doing  the  three  exponentiations  simultaneously  (see  Note  14.91);  the 
total  cost  is  now  about  ^ [lgp]  modular  multiplications,  almost  2.5  times  as  cost  ef- 
ficient as  before. 

(iii)  Signature  verification  calculations  are  all  performed  modulo  p,  while  signature  gen- 
eration calculations  are  done  modulo  p and  modulo  (p  — 1). 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§77.5  The  DSA  and  related  signature  schemes 


457 


1 1 .69  Note  (recommended parameter  sizes)  Given  the  latest  progress  on  the  discrete  logarithm 
problem  in  Z*  (§3.6),  a 512-bit  modulus  p provides  only  marginal  security  from  concerted 
attack.  As  of  1996,  a modulus  p of  at  least  768  bits  is  recommended.  For  long-term  security, 
1024-bit  or  larger  moduli  should  be  used. 

11.70  Note  ( system-wide  parameters ) All  entities  may  elect  to  use  the  same  prime  number  p 
and  generator  a,  in  which  case  p and  a are  not  required  to  be  part  of  the  public  key  (cf. 
Note  11.61). 

(i)  Variations  of  the  EIGamal  scheme 

Many  variations  of  the  basic  EIGamal  signature  scheme  (Algorithm  11.64)  have  been  pro- 
posed. Most  of  these  alter  what  is  commonly  referred  to  as  the  signing  equation  (given 
in  step  Id  of  Algorithm  11.64).  After  suitable  rearrangement,  this  signing  equation  can 
be  written  as  u = av  + kw  mod  (p  — 1)  where  u = h(m),  v = r,  and  w = s (i.e., 
h(m)  = ar  + ks  mod  (p  — 1)).  Other  signing  equations  can  be  obtained  by  permitting 
u,  v,  and  w to  take  on  the  values  s,  r,  and  h(rn')  in  different  orders.  Table  11.5  lists  the  6 
possibilities. 


u 

V 

w 

Signing  equation 

Verification 

"T" 

h(m) 

r 

s 

h(rn)  = ar  + ks 

qAM  = (c“)V 

2 

h{m) 

s 

r 

h(m ) = as  + kr 

ah(77i)  = (aayrr 

3 

s 

r 

h(m) 

s = ar  + kh(m) 

as  = (aayrh(m) 

4 

s 

h(m) 

r 

s = ah(m)  + kr 

as  = (aa)h(m)rr 

5 

r 

s 

h(m) 

r = as  + kh(m) 

aT  = ( aayrh(m ) 

6 

r 

h(m) 

s 

r = ah(m ) + ks 

ar  = (aajh(m)rs 

Table  11.5:  Variations  of  the  EIGamal  signing  equation.  Signing  equations  are  computed  modulo 
(p  — 1);  verification  is  done  modulo p. 


1 1 .71  Note  ( comparing  variants  of  the  EIGamal  signature  scheme) 

(i)  Some  of  the  signing  equations  listed  in  Table  11.5  are  more  efficient  to  compute  than 
the  original  EIGamal  equation  in  Algorithm  1 1 .64.  For  example,  equations  (3)  and 
(4)  of  Table  11.5  do  not  require  the  computation  of  an  inverse  to  determine  the  sig- 
nature s.  Equations  (2)  and  (5)  require  the  signer  to  compute  am1  mod  (p  — 1),  but 
this  fixed  quantity  need  only  be  computed  once. 

(ii)  Verification  equations  (2)  and  (4)  involve  the  expression  rr.  Part  of  the  security  of 
signature  schemes  based  on  these  signing  equations  is  the  intractability  of  finding  so- 
lutions to  an  expression  of  the  form  xx  = c (mod  p)  for  fixed  c.  This  problem  ap- 
pears to  be  intractable  for  large  values  of  p,  but  has  not  received  the  same  attention 
as  the  discrete  logarithm  problem. 

(ii)  The  generalized  EIGamal  signature  scheme 

The  EIGamal  digital  signature  scheme,  originally  described  in  the  setting  of  the  multiplica- 
tive group  Z*,  can  be  generalized  in  a straightforward  manner  to  work  in  any  finite  abelian 
group  G.  The  introductory  remarks  for  §8.4.2  are  pertinent  to  the  algorithm  presented  in 
this  section.  Algorithm  11.73  requires  a cryptographic  hash  function  h:  {0, 1}*  — > Z„ 
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where  n is  the  number  of  elements  in  G.  It  is  assumed  that  each  element  r € G can  be 
represented  in  binary  so  that  h(r)  is  defined.9 


1 1 .72  Algorithm  Key  generation  for  the  generalized  EIGamal  signature  scheme 

SUMMARY:  each  entity  selects  a finite  group  G;  generator  of  G;  public  and  private  keys. 
Each  entity  A should  do  the  following: 

1.  Select  an  appropriate  cyclic  group  G of  order  n,  with  generator  a.  (Assume  that  G 
is  written  multiplicatively.) 

2.  Select  a random  secret  integer  a,  1 < a < n 1 . Compute  the  group  element  y = aa. 

3.  A’s  public  key  is  (a,  y),  together  with  a description  of  how  to  multiply  elements  in 
G;  A’s  private  key  is  a. 


11.73  Algorithm  Generalized  EIGamal  signature  generation  and  verification 

SUMMARY:  entity  A signs  a binary  message  m of  arbitrary  length.  Any  entity  B can  verify 
this  signature  by  using  A’s  public  key. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Select  a random  secret  integer  k,  1 < k < n — 1,  with  gcd(&,  n)  = 1. 

(b)  Compute  the  group  element  r = ak. 

(c)  Compute  k^1  mod  n. 

(d)  Compute  h(m)  and  h{r). 

(e)  Compute  s = k~l{l i{m)  — cih(r)}  mod  n. 

(f)  A’s  signature  for  m is  the  pair  (r,  s). 

2.  Verification.  To  verify  A’s  signature  (r,  s)  on  m,  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  (ct,  y). 

(b)  Compute  h(m)  and  h{r). 

(c)  Compute  v\  = yh ^ ■ rs. 

(d)  Compute  V2  = ah(m\ 

(e)  Accept  the  signature  if  and  only  if  v\  = V2- 


1 1 .74  Example  ( generalized  EIGamal  signatures  with  artificially  small  parameters) 

Key  generation.  Consider  the  finite  field  F2r-  constructed  from  the  irreducible  polynomial 
f(x)  = x5  + x2  + 1 over  F2.  (See  Example  2.231  for  examples  of  arithmetic  in  the  field 
F24.)  The  elements  of  this  field  are  the  31  binary  5-tuples  displayed  in  Table  11.6,  along 
with  00000.  The  element  a = (00010)  is  a generator  for  G = Fjs , the  multiplicative  cyclic 
group  of  the  field.  The  order  of  this  group  G is  n = 31.  Let  h : {0, 1}*  — > Z31  be  a hash 
function.  Entity  A selects  the  private  key  a = 19  and  computes  y = aa  = (00010)19  = 
(00110).  A’ s public  key  is  (a  = (00010),  y = (00110)). 

Signature  generation.  To  sign  the  message  m = 10110101,  A selects  a random  integer 
k = 24,  and  computes  r = a24  = (11110)  and  fe_1  mod  31  = 22.  A then  computes 
h(m)  = 16  and  h(r)  = 7 (the  hash  values  have  been  contrived  for  this  example)  and  s = 
22  • {16  — (19) (7)}  mod  31  = 30.  A’s  signature  for  message  m is  (r  = (11110),  s = 30). 
Signature  verification.  B computes  h(m)  = 16,  h{r)  = 7,  v\  = yh(r\s  = (00110)'- 
(11110)30  = (11011),  and  V2  = ah(m^  = a 16  = (11011).  B accepts  the  signature  since 

V\  = V2-  □ 

°More  precisely,  one  would  define  a function  / : G — / (0,  1}*  and  write  h(f(r))  instead  of  h(r). 
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m 

a 

a 

O 

00001 

8 

01101 

i 

00010 

9 

11010 

2 

00100 

10 

10001 

3 

01000 

11 

00111 

4 

10000 

12 

OHIO 

5 

00101 

13 

11100 

6 

01010 

14 

11101 

7 

10100 

15 

11111 

a 

a 

16 

11011 

24 

11110 

17 

10011 

25 

11001 

18 

00011 

26 

10111 

19 

00110 

27 

01011 

20 

01100 

28 

10110 

21 

11000 

29 

01001 

22 

10101 

30 

10010 

23 

01111 

Table  1 1.6:  The  elements  of  F25  as  powers  of  a generator  a. 


1 1 .75  Note  ( security  of  generalized  ElGamal)  Much  of  the  security  of  Algorithm  1 1 .73  relies  on 
the  intractability  of  the  discrete  logarithm  problem  in  the  group  G (see  §3.6).  Most  of  the 
security  comments  in  Note  11.66  apply  to  the  generalized  ElGamal  scheme. 

1 1 .76  Note  ( signing  and  verification  operations ) Signature  generation  requires  computations  in 
the  group  G (i.e.,  r = ak)  and  computations  in  Z7J.  Signature  verification  only  requires 
computations  in  the  group  G. 

1 1 .77  Note  ( generalized  ElGamal  using  elliptic  curves)  One  of  the  most  promising  implemen- 
tations of  Algorithm  11.73  is  the  case  where  the  finite  abelian  group  G is  constructed  from 
the  set  of  points  on  an  elliptic  curve  over  a finite  field  Fq.  The  discrete  logarithm  problem 
in  groups  of  this  type  appears  to  be  more  difficult  than  the  discrete  logarithm  problem  in  the 
multiplicative  group  of  a finite  field  Fq.  This  implies  that  q can  be  chosen  smaller  than  for 
corresponding  implementations  in  groups  such  as  G = F* . 


11.5.3  The  Schnorr  signature  scheme 

Another  well-known  variant  of  the  ElGamal  scheme  (Algorithm  11.64)  is  the  Schnorr  sig- 
nature scheme.  As  with  the  DSA  (Algorithm  11.56),  this  technique  employs  a subgroup  of 
order  q in  Z*,  where  p is  some  large  prime  number.  The  method  also  requires  a hash  func- 
tion h : {0, 1}*  — :>  Z q.  Key  generation  for  the  Schnorr  signature  scheme  is  the  same  as 
DSA  key  generation  (Algorithm  11.54),  except  that  there  are  no  constraints  on  the  sizes  of 
p and  q. 


1 1 .78  Algorithm  Schnorr  signature  generation  and  verification 

SUMMARY:  entity  A signs  a binary  message  m of  arbitrary  length.  Any  entity  B can  verify 
this  signature  by  using  A’s  public  key. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Select  a random  secret  integer  k,  1 < k < q — 1. 

(b)  Compute  r = ak  mod  p,  e = h(m\\r ),  and  s = ae  + k mod  q. 

(c)  A’s  signature  for  m is  the  pair  (s,  e). 
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2.  Verification.  To  verify  A’s  signature  (s,  e)  on  m,  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  (p,  q,  a,  y ). 

(b)  Compute  v = asy~e  modp  and  e'  = h(m\\v). 

(c)  Accept  the  signature  if  and  only  if  e'  = e. 


Proof  that  signature  verification  works.  If  the  signature  was  created  by  A.  then  v = asy  e 
= asa~ae  = ak  = r (mod  p).  Hence,  h(m\\v ) = h(m\\r)  and  e!  = e. 

1 1 .79  Example  (Schnorr’s  signature  scheme  with  artificially  small  parameters) 

Key  generation.  A selects  primes  p = 129841  and  q = 541;  here,  (p  — \)/q  = 240.  A 
then  selects  a random  integer  <?  = 26346  G Z*  and  computes  a = 26346240  mod  p = 26. 
Since  a 1,  a generates  the  unique  cyclic  subgroup  of  order  541  in  Z*.  A then  selects 
the  private  key  a = 423  and  computes  y = 26423  modp  = 115917.  A’s  public  key  is 
(p  = 129841,  q=  541,  a = 26,  y = 115917). 

Signature  generation.  To  sign  the  message  m = 11101101,  A selects  a random  number 
k = 327  such  that  1 < k < 540,  and  computes  r = 2632'  modp  = 49375  and  e = 
h(m\\r)  = 155  (the  hash  value  has  been  contrived  for  this  example).  Finally,  A computes 
s = 423  • 155  + 327  mod  541  = 431.  The  signature  for  m is  (s  = 431,  e = 155). 
Signature  verification.  B computes  v = 26431  ■ 115917~155  modp  = 49375  and  e!  = 
h(rn\\v)  = 155.  B accepts  the  signature  since  e = e' . □ 

1 1 .80  Note  ( performance  characteristics  of  the  Schnorr  scheme)  Signature  generation  in  Algo- 
rithm 11.78  requires  one  exponentiation  modulo  p and  one  multiplication  modulo  q.  The 
exponentiation  modulo  p could  be  done  off-line.  Depending  on  the  hash  algorithm  used, 
the  time  to  compute  h(m\\r)  should  be  relatively  small.  Verification  requires  two  exponen- 
tiations modulo  p.  These  two  exponentiations  can  be  computed  by  Algorithm  14.88  at  a 
cost  of  about  1.17  exponentiations.  Using  the  subgroup  of  order  q does  not  significantly 
enhance  computational  efficiency  over  the  ElGamal  scheme  of  Algorithm  11.64,  but  does 
provide  smaller  signatures  (for  the  same  level  of  security)  than  those  generated  by  the  El- 
Gamal method. 


11.5.4  The  ElGamal  signature  scheme  with  message  recovery 

The  ElGamal  scheme  and  its  variants  (§11.5.2)  discussed  so  far  are  all  randomized  digital 
signature  schemes  with  appendix  (i.e.,  the  message  is  required  as  input  to  the  verification 
algorithm).  In  contrast,  the  signature  mechanism  of  Algorithm  11.81  has  the  feature  that  the 
message  can  be  recovered  from  the  signature  itself.  Hence,  this  ElGamal  variant  provides 
a randomized  digital  signature  with  message  recovery. 

For  this  scheme,  the  signing  space  is  Mg  = Z*,  p a prime,  and  the  signature  space  is 
S = Z p x Zq,  q a prime,  where  q divides  (p  — 1).  Let  i?  be  a redundancy  function  from 
the  set  of  messages  A4  to  A4s  (see  Table  11.1).  Key  generation  for  Algorithm  11.81  is  the 
same  as  DSA  key  generation  (Algorithm  11.54),  except  that  there  are  no  constraints  on  the 
sizes  of  p and  q. 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§ 1 1.5  The  DSA  and  related  signature  schemes 


461 


1 1 .81  Algorithm  Nyberg-Rueppel  signature  generation  and  verification 

SUMMARY:  entity  A signs  a message  m £ M.  Any  entity  B can  verify  A’s  signature  and 
recover  the  message  rri  from  the  signature. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Compute  fh  = R(m). 

(b)  Select  a random  secret  integer  k,  1 < k < q — 1,  and  compute  r = a k mod  p. 

(c)  Compute  e = fhr  mod  p. 

(d)  Compute  s = ae  + k mod  q. 

(e)  A’s  signature  for  m is  the  pair  (e,  s). 

2.  Verification.  To  verify  A’s  signature  (e,  s)  on  m , B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  (p,  q,  a,  y). 

(b)  Verify  that  0 < e < p;  if  not,  reject  the  signature. 

(c)  Verify  that  0 < s < q;  if  not,  reject  the  signature. 

(d)  Compute  v = asy~e  mod  p and  fh  = ve  mod  p. 

(e)  Verify  that  fh  £ Mr',  if  fh  f.  Mr  then  reject  the  signature. 

(f)  Recover  m = Rr1(fh). 


Proof  that  signature  verification  works.  If  A created  the  signature,  then  v = asy  e = 
as-ae  = ak  ^mocj  pf  xhus  ve  = ak fha^k  = fh  (mod  p),  as  required. 

1 1 .82  Example  ( Nyberg-Rueppel  signature  generation  with  artificially  small  parameters) 

Key  generation.  Entity  A selects  primes  p — 1256993  and  q = 3571,  where  q divides 
(p  — 1);  here,  (p  — l)/q  = 352.  A then  selects  a random  number  g = 42077  € Z*  and 
computes  a = 420  77352  modp  = 441238.  Since  a f 1,  a generates  the  unique  cyclic 
subgroup  of  order  3571  in  Z*.  Finally,  A selects  a random  integer  a = 2774  and  computes 
y = aa  mod  p = 1013657.  A’s  public  key  is  (p  = 1256993,  q = 3571,  a = 441238,  y = 
1013657),  while  A’s  private  key  is  a = 2774. 

Signature  generation.  To  sign  a message  to,  A computes  fh  = Rfim)  = 1147892  (the  value 
R(m)  has  been  contrived  for  this  example).  A then  randomly  selects  k = 1001,  computes 
r = a~k  mod  p = 441238-1001  mod  p = 1188935,  e = fhr  mod  p = 138207,  and  s = 
(2774) (138207)  + 1001  mod  q = 1088.  The  signature  for  m is  (e  = 138207,  s = 1088). 
Signature  verification.  B computes  v = 44  1 2381088  ■ 1013657~13820'  mod  1256993  = 
504308,  and  fh  = v ■ 138207  mod  1256993  = 1147892.  B verifies  that  fh  £ Mr  and 
recovers  m = R^1(fh).  □ 

1 1 .83  Note  ( security  of  the  Nyberg-Rueppel  signature  scheme) 

(i)  Since  Algorithm  11.81  is  a variant  of  the  basic  ElGamal  scheme  (Algorithm  11.64), 
the  security  considerations  of  Note  11.66  apply.  Like  DSA  (Algorithm  11.56),  this 
ElGamal  mechanism  with  message  recovery  relies  on  the  difficulty  of  two  related  but 
distinct  discrete  logarithm  problems  (see  Note  11.58). 

(ii)  Since  Algorithm  11.81  provides  message  recovery,  a suitable  redundancy  function  R 
is  required  (see  Note  11.10)  to  guard  against  existential  forgery.  As  is  the  case  with 
RSA,  the  multiplicative  nature  of  this  signature  scheme  must  be  carefully  consid- 
ered when  choosing  a redundancy  function  R.  The  following  possible  attack  should 
be  kept  in  mind.  Suppose  m £ M,  fh  = R(m),  and  (e,  s)  is  a signature  for  m. 
Then  e = fha~k  mod  p for  some  integer  k and  s = ae  + k mod  q.  Let  fh*  = 
fha1  modp  for  some  integer  l.  If  s*  = s + l mod  q and  fh*  £ Mr,  then  (e,  s*) 
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is  a valid  signature  for  m*  = R l(m*).  To  see  this,  consider  the  verification  algo- 
rithm (step  2 of  Algorithm  11.81).  v = as  y~e  = as+la^ae  = ak+l  (mod  p),  and 
ve  = ak+lrha~k  = fha1  = m*  (mod  p ).  Since  to*  G Mr,  the  forged  signature 
(e,  s*)  will  be  accepted  as  a valid  signature  for  to*. 

(iii)  The  verification  that  0 < e < p given  in  step  2b  of  Algorithm  11.81  is  crucial. 
Suppose  (e,  s ) is  A’s  signature  for  the  message  to.  Then  e = fhr  mod  p and  s = 
ae  + k mod  q.  An  adversary  can  use  this  signature  to  compute  a signature  on  a mes- 
sage m*  of  its  choice.  It  determines  an  e*  such  that  e*  = m*r  (mod  p)  and  e*  = e 
(mod  q).  (This  is  possible  by  the  Chinese  Remainder  Theorem  (Fact  2.120).)  The 
pair  (e*,  s)  will  pass  the  verification  algorithm  provided  that  0 < e*  < p is  not 
checked. 

1 1 .84  Note  ( a generalization  ofElGamal  signatures  with  message  recovery)  The  expression  e = 
fhr  mod  p in  step  lc  of  Algorithm  11.81  provides  a relatively  simple  way  to  encrypt  to  with 
key  r and  could  be  generalized  to  any  symmetric-key  algorithm.  Let  E = {Er  : r € Zp} 
be  a set  of  encryption  transformations  where  each  Er  is  indexed  by  an  element  r e z; 
and  is  a bijection  from  Ms  = Z*  to  Z*.  For  any  to  G M,  select  a random  integer  k, 
l < k < q 1.  compute  r = ak  mod  p,  e = Er{m),  and  s = ae  + k mod  q.  The  pair 
(e,  s)  is  a signature  for  to.  The  fundamental  signature  equation  s = ae  + k mod  q is  a 
means  to  bind  entity  A’s  private  key  and  the  message  to  to  a symmetric  key  which  can  then 
be  used  to  recover  the  message  by  any  other  entity  at  some  later  time. 


11.6  One-time  digital  signatures 

One-time  digital  signature  schemes  are  digital  signature  mechanisms  which  can  be  used 
to  sign,  at  most,  one  message;  otherwise,  signatures  can  be  forged.  A new  public  key  is 
required  for  each  message  that  is  signed.  The  public  information  necessary  to  verify  one- 
time signatures  is  often  referred  to  as  validation  parameters.  When  one-time  signatures  are 
combined  with  techniques  for  authenticating  validation  parameters,  multiple  signatures  are 
possible  (see  §11.6.3  for  a description  of  authentication  trees). 

Most,  but  not  all,  one-time  digital  signature  schemes  have  the  advantage  that  signature 
generation  and  verification  are  very  efficient.  One-time  digital  signature  schemes  are  useful 
in  applications  such  as  chipcards,  where  low  computational  complexity  is  required. 


1 1 .6.1  The  Rabin  one-time  signature  scheme 

Rabin’s  one-time  signature  scheme  was  one  of  the  first  proposals  for  a digital  signature  of 
any  kind.  It  permits  the  signing  of  a single  message.  The  verification  of  a signature  requires 
interaction  between  the  signer  and  verifier.  Unlike  other  digital  signature  schemes,  verifi- 
cation can  be  done  only  once.  While  not  practical,  it  is  presented  here  for  historical  reasons. 
Notation  used  in  this  section  is  given  in  Table  11.7. 
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Symbol 

Meaning 

M0 

0*  = the  all  0’s  string  of  bitlength  l. 

Mo(i) 

0i_e|j6e_i  • • • bibo  where  be- 1 • • • bibo  is  the  binary  representation  of  i. 

1C 

a set  of  Z-bit  strings. 

E 

a set  of  encryption  transformations  indexed  by  a key  space  1C. 

Et 

an  encryption  transformation  belonging  to  E with  t (E  1C.  Each  Et 

maps  Z-bit  strings  to  Z-bit  strings. 

h 

a publicly-known  one-way  hash  function  from  {0, 1}*  to  {0, 1}/. 

n 

a fixed  positive  integer  which  serves  as  a security  parameter. 

Table  1 1.7:  Notation  for  the  Rabin  one-time  signature  scheme. 


1 1 .85  Algorithm  Key  generation  for  the  Rabin  one-time  signature  scheme 

SUMMARY:  each  entity  A selects  a symmetric-key  encryption  scheme  E,  generates  2 n 
random  bitstrings,  and  creates  a set  of  validation  parameters. 

Each  entity  A should  do  the  following: 

1.  Select  a symmetric-key  encryption  scheme  E (e.g.,  DES). 

2.  Generate  2 n random  secret  strings  Aq , k>  , . . . , k-in  & 1C,  each  of  bitlength  l. 

3.  Compute  = Eki(M0(i)),  1 < i < 2 n. 

4.  A’s  public  key  is  (y1;  y2,  ■■■  , V2  n)\  A’s  private  key  is  (k1,  k2, ...  , k2n). 


11.86  Algorithm  Rabin  one-time  signature  generation  and  verification 

SUMMARY:  entity  A signs  a binary  message  m of  arbitrary  length.  Signature  verification 
is  interactive  with  A. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Compute  h(m). 

(b)  Compute  .s,  = E^fhfn)),  1 < i < 2 n. 

(c)  A’s  signature  for  m is  (si,  s2, . . . , s2n). 

2.  Verification.  To  verify  A’s  signature  (si,  s2, . . . , s2n)  on  to,  B should: 

(a)  Obtain  A’s  authentic  public  key  (yi,y2,.  ■ ■ , y^n)- 

(b)  Compute  h(m). 

(c)  Select  n distinct  random  numbers  rj,  1 < r;  < 2 n,  for  1 < j < n. 

(d)  Request  from  A the  keys  kTj , 1 < j < n. 

(e)  Verify  the  authenticity  of  the  received  keys  by  computing  Zj  = Ekr.  ( M0(rj )) 
and  checking  that  zj  — yT  j . for  each  1 < j < n. 

(f)  Verify  that  sr.  = E\.  (him)),  1 < j < n. 

3 rj 


1 1 .87  Note  (key  sizes  for  Rabin ’s  one-time  signatures)  Since  Et  outputs  l bits  (see  Table  1 1 .7), 
the  public  and  private  keys  in  Algorithm  1 1 .86  each  consist  of  2 nl  bits.  For  n = 80  and 
l = 64,  the  keys  are  each  1280  bytes  long. 

1 1 .88  Note  ( resolution  of  disputes)  To  resolve  potential  disputes  between  the  signer  A and  the 
verifier  B using  Algorithm  11.86,  the  following  procedure  is  followed: 

1.  B provides  a trusted  third  party  (TTP)  with  to  and  the  signature  (si,  s2, . . . , s2n). 
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2.  The  TTP  obtains  ki , k2,  ■ . ■ , k2n  from  A. 

3.  The  TTP  verifies  the  authenticity  of  the  private  key  by  computing  z*  = Ey.  (Mo  (*)) 
and  checking  that  y,  = z,.  1 < i < 2 n.  If  this  fails,  the  TTP  rules  in  favor  of  13  (i.e., 
the  signature  is  deemed  to  be  valid). 

4.  The  TTP  computes  Ui  = Ek-(h(m)),  1 < i < 2 n.  If  Ui  = s*  for  at  most  n values 
off,  1 < i < 2 n,  the  signature  is  declared  a forgery  and  the  TTP  rules  in  favor  of  A 
(who  denies  having  created  the  signature).  If  n + 1 or  more  values  of  i give  u,  = .st, 
the  signature  is  deemed  valid  and  the  TTP  rules  in  favor  of  B. 

1 1 .89  Note  (rationale  for  dispute  resolution  protocol ) The  rationale  for  adjudicating  disputes  in 
Rabin’s  one-time  signature  scheme,  as  outlined  in  Note  11.88,  is  as  follows.  If  B has  at- 
tempted to  forge  A’s  signature  on  a new  message  rnf  B either  needs  to  determine  at  least 
one  more  key  k'  so  that  at  least  n + 1 values  of  i give  Uj  = Sj,  or  determine  ml  such  that 
h(m)  = h(m').  This  should  be  infeasible  if  the  symmetric-key  algorithm  and  hash  function 
are  chosen  appropriately.  If  A attempts  to  create  a signature  which  it  can  later  disavow,  A 
must  ensure  that  u,  = s-,  for  precisely  n values  of  i and  hope  that  B chooses  these  n values 
in  step  2c  of  the  verification  procedure,  the  probability  of  which  is  only  1 / (2?") . 

1 1 .90  Note  ( one-timeness  of  Algorithm  11.86)  A can  sign  at  most  one  message  with  a given  pri- 
vate key  in  Rabin’s  one-time  scheme;  otherwise,  A will  ( with  high  probability)  reveal  n + 1 
or  more  of  the  private  key  values  and  enable  B (and  perhaps  collaborators)  to  forge  signa- 
tures on  new  messages  (see  Note  11.89).  A signature  can  only  be  verified  once  without 
revealing  (with  high  probability)  more  than  n of  the  2 n private  values. 


11.6.2  The  Merkle  one-time  signature  scheme 

Merkle’s  one-time  digital  signature  scheme  (Algorithm  11.92)  differs  substantially  from 
that  of  Rabin  (Algorithm  11.86)  in  that  signature  verification  is  not  interactive  with  the 
signer.  A TTP  or  some  other  trusted  means  is  required  to  authenticate  the  validation  pa- 
rameters constructed  in  Algorithm  11.91. 


1 1 .91  Algorithm  Key  generation  for  the  Merkle  one-time  signature  scheme 

SUMMARY:  to  sign  n- bit  messages,  A generates  t = n + |_lg  n\  + 1 validation  parameters. 
Each  entity  A should  do  the  following: 

1.  Select  t = n + [_lgnj  + 1 random  secret  strings  k\,  &2, . . . ,kt  each  of  bitlength  l. 

2.  Compute  v.i  = hikf),  1 < i < t.  Here,  h is  a preimage-resistant  hash  function 
h:  {0, 1}* — >•  {0,1}*  (see  §9.2.2). 

3.  A’s  public  key  is  (vi,v2,  ■ ■ ■ , vt );  A’s  private  key  is  (Aq,  k2, . . . , kt). 


To  sign  an  ?r-bit  message  to,  a bitstring  w = to||c  is  formed  where  c is  the  binary 
representation  for  the  number  of  0’s  in  to.  c is  assumed  to  be  a bitstring  of  bitlength  [lg  n\  + 
1 with  high-order  bits  padded  with  0’s,  if  necessary.  Hence,  w is  a bitstring  of  bitlength 
t = n + |_lg  n\  + 1. 
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11.92  Algorithm  Merkle  one-time  signature  generation  and  verification 

SUMMARY:  entity  A signs  a binary  message  m of  bitlength  n.  Any  entity  B can  verify 
this  signature  by  using  A’s  public  key. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Compute  c,  the  binary  representation  for  the  number  of  0’s  in  to. 

(b)  Form  w = m\\c  = (0102  • • • at). 

(c)  Determine  the  coordinate  positions  i-\  < i2  < ■ ■ ■ < iv  in  w such  that  atj  = 1, 
1 < j < u. 

(d)  Let  Sj  = ky , 1 < j < u. 

(e)  A’s  signature  for  to  is  (si,  «2,  ■ • • , su). 

2.  Verification.  To  verify  A’s  signature  (si,s2,  ■ • • , su)  on  to,  B should: 

(a)  Obtain  A’s  authentic  public  key  (v1,v2, . . . ,Vt). 

(b)  Compute  c,  the  binary  representation  for  the  number  of  0’s  in  to. 

(c)  Form  w = m||c  = (0102  • • • at). 

(d)  Determine  the  coordinate  positions  i\  < i2  <•-.•<  iu  in  w such  that  atj  = 1, 

1 < j < u. 

(e)  Accept  the  signature  if  and  only  if  v.^  = h(sj)  for  all  1 < j < u. 


11.93  Note  (security  of  Merkle’s  one-time  signature  scheme)  Let  to  be  a message,  w = to||c 
the  bitstring  formed  in  step  lb  of  Algorithm  11.92,  and  («i,  s2,  ■ . ? , su)  a signature  for  to. 
If  h is  a preimage -resistant  hash  function,  the  following  argument  shows  that  no  signature 
for  a message  to'  7^  to  can  be  forged.  Let  w'  = m' ||c'  where  c'  is  the  ([lg n\  + l)-bit 
string  which  is  the  binary  representation  for  the  number  of  0’s  in  to'.  Since  an  adversary 
has  access  to  only  that  portion  of  the  signer’s  private  key  which  consists  of  («i , s2 , ■ . . ,su), 
the  set  of  coordinate  positions  in  to'  having  a 1 must  be  a subset  of  the  coordinate  positions 
in  to  having  a 1 (otherwise,  to'  will  have  a 1 in  some  position  where  to  has  a 0 and  the 
adversary  will  require  an  element  of  the  private  key  not  revealed  by  the  signer).  But  this 
means  that  to'  has  more  0’s  than  to  and  that  c'  > c (when  considered  as  integers).  In  this 
case,  c'  will  have  a 1 in  some  position  where  c has  a 0.  The  adversary  would  require  a private 
key  element,  corresponding  to  this  position,  which  was  not  revealed  by  the  signer. 

11.94  Note  (storage  and  computational  requirements  of  Algorithm  11.92) 

(i)  To  sign  an  n-bit  message  to  which  has  k ones  requires  l ■ (n  + [lg  n\  +1)  bits  of 
storage  for  the  validation  parameters  (public  key),  and  l ■ (n+  [lg  n\  +1)  bits  for  the 
private  key.  The  signature  requires  l ■ (k  + k ')  bits  of  storage,  where  k'  is  the  number 
of  l’s  in  the  binary  representation  of  n — k.  For  example,  if  n = 128,  l = 64,  and 
k = 72,  then  the  public  and  private  keys  each  require  8704  bits  (1088  bytes).  The 
signature  requires  4800  bits  (600  bytes). 

(ii)  The  private  key  can  be  made  smaller  by  forming  the  kfs  from  a single  seed  value. 
For  example,  if  k*  is  a bitstring  of  bitlength  at  least  l,  then  form  kj  = h(k*  ||i),  1 < 
i <t.  Since  only  the  seed  k*  need  be  stored,  the  size  of  the  private  key  is  drastically 
reduced. 

(iii)  Signature  generation  is  very  fast,  requiring  no  computation.  Signature  verification 
requires  the  evaluation  of  the  hash  function  for  fewer  than  n + [lg  n\  + 1 values. 


Handbook  of  Applied  Cryptography  by  A.  Menezes,  R van  Oorschot  and  S.  Vanstone. 


466 


Ch.  1 1 Digital  Signatures 


1 1 .95  N Ote  ( improving  efficiency  ofMerkle ’s  one-time  scheme)  Algorithm  1 1 .92  requires  l ■ (n + 
[_lg  n\  + 1)  bits  for  each  of  the  public  and  private  keys.  The  public  key  must  necessarily 
be  this  large  because  the  signing  algorithm  considers  individual  bits  of  the  message.  The 
scheme  can  be  made  more  efficient  if  the  signing  algorithm  considers  more  than  one  bit  at 
a time.  Suppose  entity  A wishes  to  sign  a kt- bit  message  to.  Write  to  = toi  ||to2  ||  ■ ■ ■ \\mt 
where  each  to,  has  bitlength  k and  each  represents  an  integer  between  0 and  2k  1 inclusive. 
Define  U = Y^l=  i (2fc  ~ mi ) — U can  be  represented  by  lg  U < |_lg  t\  + 1 + k bits. 
If  r = [([lgfj  + 1 + k)/k],  then  U can  be  written  in  binary  as  U = «i||«2||  • • ■ || ur, 
where  each  u,  has  bitlength  k.  Form  the  bitstring  w = mi  ||to2  ||  ■ • • mt  \\ui  ||u2 1|  • • ■ \\ur. 
Generate  t + r random  bitstrings  ki,  fc2, . . . , kt+r  and  compute  Vi  = hfk  ~1(kj),  1 < i < 
t + r.  The  private  key  for  the  modified  scheme  is  (ki,  fc2, . . . , kt+r)  and  the  public  key  is 
(vi,  V2,  ■ ■ ■ , vt+r )•  The  signature  for  to  is  (si,  s2,  ■ ■ ■ , st+r)  where  .s,;  = hmi (ki),  1 < i < 
t,  and  Si  = hUi  (kt+f),  1 <i  <r.  Here,  hc  denotes  the  c-fold  composition  of  h with  itself. 
As  with  the  original  scheme  (Algorithm  11.92),  the  bits  appended  to  the  message  act  as  a 
check-sum  (see  Note  11.93)  as  follows.  Given  an  element  .s,;  = ha(kj),  an  adversary  can 
easily  compute  ha+s(kj ) for  0 < 6 < 2k  — a,  but  is  unable  to  compute  ha~s  for  any  S > 0 
if  h is  a one-way  hash  function.  To  forge  a signature  on  a new  message,  an  adversary  can 
only  reduce  the  value  of  the  check-sum,  which  will  make  it  impossible  for  him  to  compute 
the  required  hash  values  on  the  appended  kr  bits. 

1 1 .96  Example  (signing  more  than  one  bit  at  a time)  This  example  illustrates  the  modification 

of  the  Merkle  scheme  described  in  Note  11.95.  Let  to  = toi||to2||to3||to4  where  mi  = 
1011,  to2  = 0111,  to3  = 1010,  and  to 4 = 1101.  mi,  to-2,  to-3,  and  7714  are  the  binary 
representations  of  11,  7,  10,  and  13,  respectively.  U = (16  — mi)  + (16  — m2)  + (16  — 
to3)  + (16  — TO4)  = 5 + 9 + 6 + 3=  23.  In  binary,  U = 10111.  Form  w = to||0001  0111. 
The  signature  is  (si,  s2,  S3,  s4,  s5,  s6)  where  si  = h11(ki),  s2  = /t7(&2),  s3  = h10(k3), 
S4  = h 13  (fei),  <85  = h 1 (X5),  and  sq  = h7  (xf).  If  an  adversary  tries  to  alter  the  message,  he 
can  only  apply  the  function  h to  some  .s, . This  causes  the  sum  of  the  exponents  used  (i.e., 
)P  m,)  to  increase  and,  hence,  t2d  — m,  to  decrease.  An  adversary  would  be  unable 
to  modify  the  last  two  blocks  since  h~  L is  required  to  decrease  the  sum.  But,  since  h is 
preimage -resistant,  h~k  cannot  be  computed  by  the  adversary.  □ 


11.6.3  Authentication  trees  and  one-time  signatures 

§13.4.1  describes  the  basic  structure  of  an  authentication  tree  and  relates  how  such  a tree 
could  be  used,  among  other  things,  to  authenticate  a large  number  of  public  validation  pa- 
rameters for  a one-time  signature  scheme.  This  section  describes  how  an  authentication  tree 
can  be  used  in  conjunction  with  a one-time  signature  scheme  to  provide  a scheme  which  al- 
lows multiple  signatures.  A small  example  will  serve  to  illustrate  how  this  is  done. 

11.97  Example  (an  authentication  tree  for  Merkle ’s  one-time  scheme)  Consider  the  one-time 
signature  scheme  of  Algorithm  11.92  for  signing  ?r-bit  messages.  Let  h:  {0, 1}*  — > 
{0, 1}J  be  a preimage -resistant  hash  function  and  t = n+  [lgnj  + 1.  Figure  11.7  il- 
lustrates a 5-vertex  binary  tree  created  by  an  entity  A in  the  course  of  signing  five  mes- 
sages too,  mi,  to2,  m3,  mi.  Each  vertex  in  the  tree  is  associated  with  one  of  the  five  mes- 
sages. For  the  vertex  associated  with  message  to*,  A has  selected  Xi  = (xu  ,x2j,...  , xti), 
Ui  = (uu,U2i,...  ,uti ) and  W,  = (wn,i x2j,...  ,wtf),  0 < i < 4,  the  elements  of 
which  are  random  bitstrings.  From  these  lists,  A has  computed  Yj,  = ( h(xji ):  1 < j < 
t),  Vi  = ( h(uji ):  1 < j < t ),  and  Zi  = ( h(wji ):  1 < j < t).  Define  h(Yi)  = 
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Figure  1 1.7:  An  authentication  tree  for  the  Merkle  one-time  signature  scheme  (cf.  Example  11.97). 


h{h(xu)\\h(x2i)\\  ■ ■ ■ \\h(xti))  for  0 < i < 4,  and  define  h(Vi)  and  h{Zf)  analogously. 
Denote  the  Merkle  one-time  signature  of  m.;  using  private  key  X,  by  Sa  (rn, . X,  ),  0 < 
i < 4.  Yi  is  the  set  of  validation  parameters  for  the  signature  6)4  (to.*,  X,).  Finally,  let 
R-i  = h(h(Yi)\\h(Vi)\\h(Zi)),  0 <i<  4.  Table  1 1 .8  summarizes  the  parameters  asso- 
ciated with  the  vertex  R, . The  sets  [/,;  and  W,  are  used  to  sign  the  labels  of  the  children 


message 

mi 

private  parameters 

XuUi,Wi 

public  parameters 

Yi,  Vi,  Zt 

hash  values 

h(Yi),h(Vi).h(Zi) 

Ri 

h(h(Yi)  h(Vi)  h(Zi)) 

signature 

SA{mi,  Xi) 

validation  parameters 

Y 

Table  1 1.8:  Parameters  and  signature  associated  with  vertex  Ri,  0 < i < 4 (cf.  Figure  11.7). 


of  vertex  R,  . The  signature  on  vertex  Rq  is  that  of  a trusted  third  party  (TTP).  Table  11.9 
summarizes  the  parameters  and  signatures  associated  with  each  vertex  label  of  the  binary 
tree.  To  describe  how  the  tree  is  used  to  verify  signatures,  consider  message  7714  and  signa- 


Message 

Vertex 

Label 

Signature  on 
Vertex  Label 

Authentication 

Parameters 

mo 

Ro 

Signature  of  TTP 

— 

mi 

Ri 

Sa(RuU0 ) 

Vo.h(Yo),h(Zo) 

m2 

R2 

Sa  [R2 , Wo ) 

Zo.h(Yo),h(Vo) 

m3 

Ro 

Sa(R3,  U: ) 

Vi.h(Yi),h(Zi) 

m4 

R4 

Sa{R4,  Wi) 

Zuh(Yi),h{Vi) 

Table  1 1.9:  Parameters  and  signatures  associated  with  vertices  of  the  binary  tree  (cf.  Figure  11. 7). 


ture  Sa  (m4 , X.\ ) . The  signer  A first  provides  the  verifier  B with  the  validation  parameters 
T4.  The  verifier  checks  the  Merkle  one-time  signature  using  step  2 of  Algorithm  11.92.  B 
must  then  be  convinced  that  Y4  is  an  authentic  set  of  validation  parameters  created  by  A. 
To  accomplish  this,  A provides  B with  a sequence  of  values  enumerated  in  the  steps  below: 

1.  hfyf),  h(Z4);  B computes  hiYf)  and  then  i?4  = ft.(/i.(T4)||/i(V4)|j/i(Z4)). 

2.  Sa(R- i,  Wi)  and  Z\.  B verifies  the  signature  on  f?4  using  Algorithm  11.92. 

3.  h(Yi),  h{V i);  B computes  h(Z{)  and  then  R\  = h(h(Yi)\\h(Vi)\\h(Zi)). 

4.  Sa {Ri 5 To)  and  Vo;  B verifies  the  signature  using  Algorithm  11.92. 
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5.  h{Y0),  h{Z0)\  B computes  h(V0)  and  then  R0  = h(h{Y0)\\h{V0)\\h(Z0)). 

6.  the  signature  of  the  TTP  for  i?o ; B verifies  the  TTP's  signature  using  an  algorithm 
appropriate  to  the  signature  mechanism  for  the  TTP 

The  binary  tree  on  5 vertices  (Figure  1 1.7)  could  be  extended  indefinitely  from  any  leaf  as 
more  signatures  are  created  by  A.  The  length  of  a longest  authentication  path  (or  equiva- 
lently, the  depth  of  the  tree)  determines  the  maximum  amount  of  information  which  A must 
provide  B in  order  for  B to  verify  the  signature  of  a message  associated  with  a vertex.  □ 


1 1 .6.4  The  GMR  one-time  signature  scheme 

The  Goldwasser,  Micali,  and  Rivest  (GMR)  scheme  (Algorithm  11.102)  is  a one-time  sig- 
nature scheme  which  requires  a pair  of  claw-free  permutations  (see  Definition  1 1 .98).  When 
combined  with  a tree  authentication  procedure,  it  provides  a mechanism  for  signing  more 
than  one  message.  The  GMR  scheme  is  noteworthy  as  it  was  the  first  digital  signature  mech- 
anism proven  to  be  secure  against  an  adaptive  chosen-message  attack.  Although  the  GMR 
scheme  is  not  practical,  variations  of  it  have  been  proposed  which  suggest  that  the  concept 
is  not  purely  of  theoretical  importance. 

11.98  Definition  Let  g4:  X — > X,  i = 0,1,  be  two  permutations  defined  on  a finite  set  X. 
go  and  g-\  are  said  to  be  a claw-free  pair  of  permutations  if  it  is  computationally  infeasible 
to  find  x,y  £ X such  that  g0(x)  = gi(y).  A triple  ( x,y,z ) of  elements  from  X with 
got*)  = gi(y)  = z is  called  a claw.  If  both  g*,  i = 0,1,  have  the  property  that  given 
additional  information  it  is  computationally  feasible  to  determine  gf1,  g-v  1,  respectively, 
the  permutations  are  called  a trapdoor  claw-free  pair  of  permutations. 

In  order  for  go,  gi  to  be  a claw-free  pair,  computing  9i  1(®).  for  both  i = 0 and  1, 
must  be  computationally  infeasible  for  essentially  all  x £ X.  For,  if  g-{  1 (and  similarly  for 
g0  1 ) could  be  efficiently  computed,  one  could  select  an  x £ X,  compute  go(x)  — z and 
gf1(z)  = y,  to  obtain  a claw  (x,  y,  z). 

1 1 .99  Example  ( trapdoor  claw-free  permutation  pair ) Let  n = pq  where  p = 3 (mod  4)  and 
q = 7 (mod  8).  For  this  choice  of  p and  q , ©2)  = 1 but  — 1 ^ Qn,  and  (2j  = — 1.  Here, 
(-)  denotes  the  Jacobi  symbol  (Definition  2.147).  Define  Dn  = {x : [fj  = 1 and  0 < x < 
f }■  Define  g0 : Dn  — > Dn  and  g1 : D„  — > D„  by 


, X [ 

\ x2  mod  n. 

if  x2  mod  n < S, 

II 

F 

o 

( —x2  mod  n, 

if  x2  mod  n > 

, , r 

Ax2  mod  n. 

if  4x2  mod  n < 5- 

9i(x)  = < 

— 4x 2 mod  n, 

z 

if  4x2  mod  n > ^ 

If  factoring  n is  intractable,  then  go,  gi  form  a trapdoor  claw-free  pair  of  permutations;  this 
can  be  seen  as  follows. 

(i)  (go  and  g ± are  permutations  on  Dn)  If  go  (x)  = go  (y),  then  x2  = y2  (mod  n)  (x2  = 
— y2  (mod  n)  is  not  possible  since  —1  Qn),  whence  x = ±y  (mod  n).  Since 
0 < x,y  < n/2,  then  x = y,  and  hence  g0  is  a permutation  on  D,,.  A similar 
argument  shows  that  gi  is  a permutation  on  Dn. 

(ii)  (go  and  g±  are  claw-free)  Suppose  that  there  is  an  efficient  method  for  finding  x.  y £ 
Dn  such  that  g o(x)  = gi(y).  Then  x2  = 4g2  (mod  n)  (x2  s — 4y2  (mod  n)  is 
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impossible  since  — 1 Qn),  whence  (x  — 2y)  (x  + 2y)  = 0 (mod  n).  Since  (^)  = 1 
and  = — 1,  x ^ ±2g  (mod  n)  and,  hence,  gcd(x  — 2 y,  n)  yields  a non-trivial 

factor  of  n.  This  contradicts  the  assumption  that  factoring  n is  intractable. 

(iii)  (go,  g\  is  a trapdoor  claw-free  pair)  Knowing  the  factorization  of  n permits  one  to 
compute  gf 1 and  gf 1 . Hence,  go,  gi  is  a trapdoor  claw-free  permutation  pair.  □ 

The  following  example  illustrates  the  general  construction  given  in  Example  11.99. 

11.100  Example  (pair  of  claw-free  permutations  for  artificially  small  parameters)  http  =11, 
q = 7,  and  n = pq  = 77.  -D77  = { x : (^)  = 1 and  0 < x < 38}  = {1,  4,  6,  9, 10, 13, 15, 
16, 17, 19,  23,  24,  25,  36,  37}.  The  following  table  describes  go  and  <71. 


X 

1 

4 

6 

9 

10 

13 

15 

16 

17 

19 

23 

24 

25 

36 

37 

go(x) 

1 

16 

36 

4 

23 

15 

6 

25 

19 

24 

10 

91  (x) 

4 

13 

10 

16 

15 

17 

24 

23 

1 

19 

37 

Notice  that  go  and  g±  are  permutations  on  ZI77.  □ 


11.101  Algorithm  Key  generation  for  the  GMR  one-time  signature  scheme 

SUMMARY:  each  entity  selects  a pair  of  trapdoor  claw-free  permutations  and  a validation 
parameter. 

Each  entity  A should  do  the  following: 

1.  Select  a pair  go,  gi  of  trapdoor  claw-free  permutations  on  some  set  X.  (It  is  “trap- 
door” in  that  A itself  can  compute  gf1  and  gf1.) 

2.  Select  a random  element  r £ X.  (r  is  called  a validation  parameter.) 

3.  A’s  public  key  is  (go,  gi,  r);  A’s  private  key  is  (g^1,  gf1)- 


In  the  following,  the  notation  for  the  composition  of  functions  go , gi  usually  denoted  go  0 gi 
(see  Definition  1.33)  is  simplified  to  gogi-  Also,  (gogi)(0  will  be  written  as  gogi(f)-  The 
signing  space  A 4s  consists  of  binary  strings  which  are  prefix-free  (see  Note  11.103). 


11.102  Algorithm  GMR  one-time  signature  generation  and  verification 

SUMMARY:  A signs  a binary  string  m = mi  m2  • • • nit.  B verifies  using  A’s  public  key. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Compute  ST (rn)  = nLo  SmL  (r)- 

(b)  A’s  signature  for  m is  Sr(m). 

2.  Verification.  To  verify  A’s  signature  Sr{m)  on  m,  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  (go,  gi,  r). 

(b)  Compute  r'  = nLi  9nn{Sr(m)). 

(c)  Accept  the  signature  if  and  only  if  r'  = r. 


Proof  that  signature  verification  works. 

t t t- 1 

r'  = n 9m,  (Sr  (to))  = g,„,  J]  gm]_ . (t 

7=0 


i—  1 


i=l 

= gmi  o g™2  o ■ • ■ ° 9mt  o g,n,  ° gm]_ , 0 ■ • ■ 0 gm]  (r)  = r. 


Thus  r'  = r,  as  required. 
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1 1 .1 03  Note  ( message  encoding  and  security)  The  set  of  messages  which  can  be  signed  using  Al- 
gorithm 1 1 . 1 02  must  come  from  a set  of  binary  strings  which  are  prefix-free.  (For  example, 
101  and  10111  cannot  be  in  the  same  space  since  101  is  a prefix  of  10111.)  One  method  to 
accomplish  this  is  to  encode  a binary  string  61&2  • • • bi  as  61616262  ■ ■ ■ bibiOl.  To  see  why 
the  prefix-free  requirement  is  necessary,  suppose  m = mi  m2  • • • rnt  is  a message  whose 
signature  is  Sr(m)  = 1^=0  Sm,  If  m'  = ^1^2  ■ ■ ■ mu,  u < t,  then  an  adversary 
can  easily  find  a valid  signature  for  m!  from  Sr(m)  by  computing 

t U—  1 

Sr{m')=  gmj{Sr{m))=Y[g-1u_i{r). 

j=u-\- 1 i=  0 

1 1 .1 04  Note  ( one-timeness  of  Algorithm  11.102)  To  see  that  the  GMR  signature  scheme  is  a one- 
time scheme,  suppose  that  two  prefix-free  messages  m = mi  m2  • • • mt  and  ml  = n-yn-2  - ■ ■ 
nu  are  both  signed  with  the  same  validation  parameter  r.  Then  Sr(m)  = n!=o  SmJ  (r) 

and  Sr{m')  = Therefore,  flLi  9mt{Sr{m))  = r=  EHU  9ni{Sr{m')). 

Since  the  message  space  is  prefix-free,  there  is  a smallest  index  h > 1 for  which  m/,  rih. 
Since  each  <y;  is  a bijection,  it  follows  that 

t U 

n^OSVM)  = []sn1(5r(m')) 

i—h  i—h 

or 

t u 

9mh  9mi  {Sr (pi) ) = g7lh  9ni{Sr(m)). 

i=h-\- 1 ^=^+1 

Taking  x = n*=/i+i  K (5r(m)),  and  y = 9nt  (5r(m')),  the  adversary  has  a 

claw  (x,  y,  gmh  (x)).  This  violates  the  basic  premise  that  it  is  computationally  infeasible 
to  find  a claw.  It  should  be  noted  that  this  does  not  necessarily  mean  that  a signature  for  a 
new  message  can  be  forged.  In  the  particular  case  given  in  Example  1 1 .99,  finding  a claw 
factors  the  modulus  n and  permits  anyone  to  sign  an  unlimited  number  of  new  messages 
(i.e.,  a total  break  of  the  system  is  possible). 


11.105  Example  (GMR  with  artificially  small  parameters.) 

Key  generation.  Let  n,  p,  q.  (ju.  <ji  be  those  given  in  Example  11.100.  A selects  the  valida- 
tion parameter  r = 15  € -D77. 

Signature  generation.  Let  m = 1011000011  be  the  message  to  be  signed.  Then 


0 9i  0 9 0 


0 9o  1 0 9o  1 


0 9 0 0 9\ 


0 9\  0 9o 


A’s  signature  for  message  m is  23. 

Signature  verification.  To  verify  the  signature,  B computes 


r'  = gi  o g0  o g1  o gx  ° g0  o g0  ° g0  o g0  o gx  o g1  (23)  = 15. 


Since  r = r',  B accepts  the  signature. 


□ 


GMR  scheme  with  authentication  trees 

In  order  to  sign  multiple  messages  using  the  GMR  one-time  signature  scheme  (Algorithm 
11.102),  authentication  trees  (see  §13.4.1)  are  required.  Although  conceptually  similar  to 
the  method  described  in  §11.6.3,  only  the  leaves  are  used  to  produce  the  signature.  Before 
giving  details,  an  overview  and  some  additional  notation  are  necessary. 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§7  7.7'  Other  signature  schemes 


471 


1 1 .1 06  Definition  A full  binary  tree  with  k levels  is  a binary  tree  which  has  2k+1  — 1 vertices  and 
2k  leaves.  The  leaves  are  said  to  be  at  level  k of  the  tree. 


Let  T be  a full  binary  tree  with  k levels.  Select  public  parameters  Y) , Y> . . . . . Yn  where 
n = 2k . Form  an  authentication  tree  T*  from  T with  root  label  R (see  below).  R is  certified 
by  a TTP  and  placed  in  a publicly  available  file.  T*  can  now  be  used  to  authenticate  any  of 
the  Yi  by  providing  the  authentication  path  values  associated  with  the  authentication  path 
for  Yi.  Each  Y,  can  now  be  used  as  the  public  parameter  r for  the  GMR  scheme.  The  details 
for  constructing  the  authentication  tree  T*  now  follow. 

The  tree  T*  is  constructed  recursively.  For  the  root  vertex,  select  a value  r and  two  t- 
bit  binary  strings  tl  and  tr.  Sign  the  string  tl \\tr  with  the  GMR  scheme  using  the  public 
value  r.  The  label  for  the  root  consists  of  the  values  r,  t\l,  rR , and  Sr{rL  ||tr)-  To  authen- 
ticate the  children  of  the  root  vertex,  select  i-bit  binary  strings  boL , &il,  boR,  and  biR.  The 
label  for  the  left  child  of  the  root  is  the  set  of  values  tl,  &il,  Sr L (6oI/||&il)  and  the 
label  for  the  right  child  is  rR,  b0R , b1R , SrR  (b0R  ||6i«).  Using  the  strings  b0L , b1L.  b0R,  and 
b\R  as  public  values  for  the  signing  mechanism,  one  can  construct  labels  for  the  children  of 
the  children  of  the  root.  Continuing  in  this  manner,  each  vertex  of  T*  can  be  labeled.  The 
method  is  illustrated  in  Figure  11.8. 


r,rL,rR,Sr(rL\\rR) 

,blR,SrR(b0R\\b1R) 
biR,d0R,diR,SblR  (doR  IMlfl) 

biL  fiQR,ciR,Sb1L  (cofl||cifl)  bOR,doL,dlL,SbOR  ( d0L  ||rfii) 


Figure  1 1.8:  A full  binary  authentication  tree  of  level  2 for  the  GMR  scheme. 


Each  leaf  of  the  authentication  tree  T*  can  be  used  to  sign  a different  binary  message 
m.  The  signing  procedure  uses  a pair  of  claw-free  permutations  go,  g\ . If  m is  the  binary 
message  to  be  signed,  and  x is  the  public  parameter  in  the  label  of  a leaf  which  has  not 
been  used  to  sign  any  other  message,  then  the  signature  for  m consists  of  both  Sx  (to)  and 
the  authentication  path  labels. 


1 1 .7  Other  signature  schemes 

The  signature  schemes  described  in  this  section  do  not  fall  naturally  into  the  general  set- 
tings of  § 1 1 .3  ( RS  A and  related  signature  schemes),  §11.4  (Fiat-Shamir  signature  schemes), 
§11.5  (DSA  and  related  signature  schemes),  or  §11.6  (one-time  digital  signatures). 
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11.7.1  Arbitrated  digital  signatures 


11.107  Definition  An  arbitrated  digital  signature  scheme  is  a digital  signature  mechanism  re- 
quiring an  unconditionally  trusted  third  party  (TTP)  as  part  of  the  signature  generation  and 
verification. 

Algorithm  11.109  requires  a symmetric-key  encryption  algorithm  E = {Ef. : k £ 1C} 
where  /C  is  the  key  space.  Assume  that  the  inputs  and  outputs  of  each  Ek  are  /-hit  strings, 
and  let  h : {0, 1}*  — > {0, 1};  be  a one-way  hash  function.  The  TTP  selects  a key  kx  € /C 
which  it  keeps  secret.  In  order  to  verify  a signature,  an  entity  must  share  a symmetric  key 
with  the  TTP. 

11.108  Algorithm  Key  generation  for  arbitrated  signatures 

SUMMARY:  each  entity  selects  a key  and  transports  it  secretly  with  authenticity  to  the  TTP. 
Each  entity  A should  do  the  following: 


1 . Select  a random  secret  key  kA  € 1C. 

2.  Secretly  and  by  some  authentic  means,  make  kA  available  to  the  TTP. 


11.109  Algorithm  Signature  generation  and  verification  for  arbitrated  signatures 


SUMMARY:  entity  A generates  signatures  using  E\.A . Any  entity  B can  verify  A's  signa- 
ture with  the  cooperation  of  the  TTP. 

1.  Signature  generation.  To  sign  a message  m,  entity  A should  do  the  following: 

(a)  A computes  H = h(m). 

(b)  A encrypts  H with  E to  get  u = Ef.A  (H). 

(c)  A sends  u along  with  some  identification  string  I a to  the  TTP. 

(d)  The  TTP  computes  Ek^  (u)  to  get  H. 

(e)  The  TTP  computes  s = U/,.7  (H\  \Ia)  and  sends  s to  A. 

(f)  A’s  signature  for  m is  s. 

2.  Verification.  Any  entity  B can  verify  A’s  signature  s on  m by  doing  the  following: 

(a)  B computes  v = EkB  (s). 

(b)  B sends  v and  some  identification  string  Ib  to  the  TTP. 

(c)  The  TTP  computes  Efi^  ( v ) to  get  s. 

(d)  The  TTP  computes  Ek^{s)  to  get  H\\Ia- 

(e)  The  TTP  computes  w = EkB  (H\\Ia)  and  sends  w to  B. 

(f)  B computes  Ek^  (w)  to  get  H\\Ia- 

(g)  B computes  H'  = h(m)  from  m. 

(h)  B accepts  the  signature  if  and  only  if  H'  = H. 

1 1 .1 10  Note  (security  of  arbitrated  signature  scheme)  The  security  of  Algorithm  11.109  is  based 
on  the  symmetric-key  encryption  scheme  chosen  and  the  ability  to  distribute  keys  to  par- 
ticipants in  an  authentic  manner.  §13.3  discusses  techniques  for  distributing  confidential 
keys. 
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11.111  Note  ( performance  characteristics  of  arbitrated  signatures ) Since  symmetric-key  algo- 
rithms are  typically  much  faster  than  public-key  techniques,  signature  generation  and  veri- 
fication by  Algorithm  11.109  are  (relatively)  very  efficient.  A drawback  is  that  interaction 
with  the  TTP  is  required,  which  places  a much  higher  burden  on  the  TTP  and  requires  ad- 
ditional message  exchanges  between  entities  and  the  TTP. 


11.7.2  ESIGN 

ESIGN  (an  abbreviation  for  Efficient  digital  SIGNature)  is  another  digital  signature  scheme 
whose  security  relies  on  the  difficulty  of  factoring  integers.  It  is  a signature  scheme  with 
appendix  and  requires  a one-way  hash  function  h:  {0, 1}*  — > Z„ . 


11.112  Algorithm  Key  generation  for  ESIGN 

SUMMARY:  each  entity  creates  a public  key  and  corresponding  private  key. 

Each  entity  A should  do  the  following: 

1 . Select  random  primes  p and  q such  that  p > q and  p,  q are  roughly  of  the  same 
bitlength. 

2.  Compute  n = p2q. 

3.  Select  a positive  integer  k > 4. 

4.  A’s  public  key  is  [n,  k);  A’s  private  key  is  (p,  q). 


11.113  Algorithm  ESIGN  signature  generation  and  verification 

SUMMARY:  the  signing  algorithm  computes  an  integer  s such  that  sk  mod  n lies  in  a cer- 
tain interval  determined  by  the  message.  Verification  demonstrates  that  sk  mod  n does  in- 
deed lie  in  the  specified  interval. 

1 . Signature  generation.  To  sign  a message  m which  is  a bitstring  of  arbitrary  length, 
entity  A should  do  the  following: 

(a)  Compute  v = h(m). 

(b)  Select  a random  secret  integer  x,  0 < x < pq. 

(c)  Compute  w = f((t>  — xk)  mod  n)/(pg)]  and  y = w ■ ( kxk ~1)~1  modp. 

(d)  Compute  s = x + ypq  mod  n. 

(e)  A’s  signature  for  m is  s. 

2.  Verification.  To  verify  A’s  signature  s on  m,  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  (n,  k). 

(b)  Compute  u = sk  mod  n and  z = h(m). 

(c)  If  z < u < z + 2 r 3 ?I1 , accept  the  signature;  else  reject  it. 


= xk 


k)xk  z(ypq f 

+ kypqxk~l  (mod  n).  But  kxk~lry  = w (mod  p)  and,  thus,  kxk~lry  = w + Ip  for 


Proof  that  signature  verification  works.  Note  that  sk  = ( x-\-ypq)k  = y], 


some  l G Z.  Hence,  sk  = xk  + pq(w  + Ip)  = xk  + pqw  = xk  + pq 


(h(m)—xk)modn 

pq 


xk  + pq  pq+:’n+e'^  (mod  n),  where  e = ( xk  — h(m))  mod  pq.  Therefore,  sk  = 

xk  + h(m)  — xk  + e = h(m)  + e (mod  n).  Since  0 < e < pq , it  follows  that  h(m)  < 
sk  mod  n < h(m)  + pq  < h{m)  + 2 ^ lg  "1 , as  required. 
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11.114  Example  (ESIGN  for  artificially  small  parameters)  In  Algorithm  11.113,  take  messages 
to  be  integers  m,  0 < m < n,  and  the  hash  function  h to  be  h(m)  = m. 

Key  generation.  A selects  primes  p = 17389  and  q = 15401,  k = 4,  and  computes 
n = p2q  = 4656913120721.  A’s  public  key  is  (n  = 4656913120721,  k = 4);  A’s  private 
key  is  (p  = 17389,  q = 15401). 

Signature  generation.  To  sign  the  message  m = 3111527988477,  A computes  v = h(m) 
= 3111527988477,  and  selects  x = 14222  such  that  0 < x < pq.  A then  computes  w = 
[((t)-ifc)modn)/(M)]  = [2848181921806/267807989]  = [10635.16414]  = 10636 
and  y = w(kxk-1)-1  mod  p = 10636(4  x 142223©1  mod  17389  = 9567.  Finally,  A 
computes  the  signature  s = x + ypq  mod  n = 2562119044985. 

Signature  verification.  B obtains  A’s  public  key  (n  = 4656913120721,  k = 4),  and  com- 
putes u = sk  mod  n = 3111751837675.  Since  3111527988477  < 3111751837675  < 
3111527988477  + 229,  B accepts  the  signature  (here,  [|  lg  n]  = 29).  □ 

11.115  Note  ( security  of  ESIGN) 

(i)  The  modulus  n = p2q  in  Algorithm  11.113  differs  from  an  RSA  modulus  by  having 
a repeated  factor  of  p.  It  is  unknown  whether  or  not  moduli  of  this  form  are  easier  to 
factor  than  integers  which  are  simply  the  product  of  two  distinct  primes. 

(ii)  Given  a valid  signature  s for  a message  m,  an  adversary  could  forge  a signature  for 
a message  m'  if  h(m!)  is  such  that  h(m')  < u < h(mr)  + 2^3  lg"l  (where  u = 
sk  mod  n).  If  an  m!  with  this  property  is  found,  then  s will  be  a signature  for  it.  This 
will  occur  if  h(m)  and  h(m')  agree  in  the  high-order  (lg  n) /3  bits.  Assuming  that  h 
behaves  like  a random  function,  one  would  expect  to  try  2<lg  ",/3  different  values  of 
m'  before  observing  this. 

(iii)  Another  possible  approach  to  forging  is  to  find  a pair  of  messages  m and  m'  such 
that  h(m)  and  h(m')  agree  in  the  high-order  (lg  n ) /3  bits.  By  the  birthday  paradox 
(Fact  2.27(ii)),  one  can  expect  to  find  such  a pair  in  0(  2^gn^/6)  trials.  If  an  adversary 
is  able  to  get  the  legitimate  signer  to  sign  m.  the  same  signature  will  be  a signature 
for  to'. 

(iv)  For  the  size  of  the  integer  n necessary  to  make  the  factorization  of  n infeasible,  (ii) 
and  (iii)  above  are  extremely  unlikely  possibilities. 

11.116  Note  ( performance  characteristics  of  ESIGN  signatures)  Signature  generation  in  Algo- 
rithm 11.113  is  very  efficient.  For  small  values  of  k (e.g.,  k = 4),  the  most  computationally 
intensive  part  is  the  modular  inverse  required  in  step  lc.  Depending  on  the  implementation, 
this  corresponds  to  a small  number  of  modular  multiplications  with  modulus  p.  For  k — 4 
and  a 768-bit  modulus  n,  ESIGN  signature  generation  may  be  between  one  and  two  orders 
of  magnitude  (10  to  100  times)  faster  than  RSA  signature  generation  with  an  equivalent 
modulus  size.  Signature  verification  is  also  very  efficient  and  is  comparable  to  RSA  with  a 
small  public  exponent. 


11.8  Signatures  with  additional  functionality 

The  mechanisms  described  in  this  section  provide  functionality  beyond  authentication  and 
non-repudiation.  In  most  instances,  they  combine  a basic  digital  signature  scheme  (e.g., 
RSA)  with  a specific  protocol  to  achieve  additional  features  which  the  basic  method  does 
not  provide. 
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1 1 .8.1  Blind  signature  schemes 

Rather  than  signature  schemes  as  described  in  § 1 1 .2,  blind  signature  schemes  are  two-party 
protocols  between  a sender  A and  a signer  B.  The  basic  idea  is  the  following.  A sends 
a piece  of  information  to  B which  B signs  and  returns  to  A.  From  this  signature,  A can 
compute  B s signature  on  an  a priori  message  to  of  A’s  choice.  At  the  completion  of  the 
protocol,  B knows  neither  the  message  to  nor  the  signature  associated  with  it. 

The  purpose  of  a blind  signature  is  to  prevent  the  signer  B from  observing  the  message 
it  signs  and  the  signature;  hence,  it  is  later  unable  to  associate  the  signed  message  with  the 
sender  A. 

11.117  Example  ( applications  of  blind  signatures)  Blind  signature  schemes  have  applications 

where  the  sender  A (the  customer)  does  not  want  the  signer  B (the  bank)  to  be  capable 
of  associating  a postiori  a message  to  and  a signature  Sb  (to)  to  a specific  instance  of  the 
protocol.  This  may  be  important  in  electronic  cash  applications  where  a message  m might 
represent  a monetary  value  which  A can  spend.  When  m and  Sb  (m)  are  presented  to  B 
for  payment,  B is  unable  to  deduce  which  party  was  originally  given  the  signed  value.  This 
allows  A to  remain  anonymous  so  that  spending  patterns  cannot  be  monitored.  □ 

A blind  signature  protocol  requires  the  following  components: 

1.  A digital  signature  mechanism  for  signer  B.  Sb(x)  denotes  the  signature  of  B on  x. 

2.  Functions  / and  g (known  only  to  the  sender)  such  that  5(63  (/(to)))  = Ssirn).  f 
is  called  a blinding  function,  g an  unblinding  function,  and  /(to)  a blinded  message. 

Property  2 places  many  restrictions  on  the  choice  of  Sb  and  g. 

1 1 .1 18  Example  (blinding  function  based  on  RSA ) Let  n = pq  be  the  product  of  two  large  ran- 

dom primes.  The  signing  algorithm  Sb  for  entity  B is  the  RSA  signature  scheme  (Algo- 
rithm 11.19)  with  public  key  (n.  e)  and  private  key  d.  Let  k be  some  fixed  integer  with 
gcd(n,  k ) = 1.  The  blinding  function  / : Zn  — > Z„  is  defined  by  /(to)  = to  • ke  mod  n 
and  the  unblinding  function  g : Z„  — s-  Z„  by  g(m)  = k^m  mod  n.  For  this  choice  of 
/,  g,  and  Sb,  g(SB{f{rn)))  = g(SB{rnke  mod  n))  = g(mdk  mod  n)  = md  mod  n = 
Sb  (to),  as  required  by  property  2.  □ 

Protocol  11.119  presents  a blind  signature  scheme  which  uses  the  digital  signature 
mechanism  and  functions  / and  g described  in  Example  11.118. 


11.119  Protocol  Chaum’s  blind  signature  protocol 

SUMMARY:  sender  A receives  a signature  of  B on  a blinded  message.  From  this,  A com- 
putes B’ s signature  on  a message  m chosen  a priori  by  A,  0 < to  < n 1.  B has  no 
knowledge  of  to  nor  the  signature  associated  with  to. 

1.  Notation.  B’ s RSA  public  and  private  keys  are  (n.  e)  and  d,  respectively.  A’  is  a ran- 
dom secret  integer  chosen  by  A satisfying  0 < k < n — 1 and  gcd(n,  k)  = 1. 

2.  Protocol  actions. 

(a)  ( blinding ) A computes  to*  = mke  mod  n and  sends  this  to  B. 

(b)  ( signing ) B computes  s*  = ( m*)d  mod  n which  it  sends  to  A. 

(c)  ( unblinding ) A computes  s = k~1s*  mod  n,  which  is  IT s signature  on  to. 
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1 1 .8.2  Undeniable  signature  schemes 

Undeniable  signature  schemes  are  distinct  from  digital  signatures  in  the  sense  of  §11.2  in 
that  the  signature  verification  protocol  requires  the  cooperation  of  the  signer.  The  following 
example  describes  two  scenarios  where  an  undeniable  signature  could  be  applied. 

1 1 .1 20  Example  (scenarios  for  undeniable  signatures ) 

(i)  Entity  A (the  customer)  wishes  to  gain  access  to  a secured  area  controlled  by  entity 
B ( the  bank).  The  secured  area  might,  for  example,  be  a safety-deposit  box  room.  B 
requires  A to  sign  a time  and  date  document  before  access  is  granted.  If  A uses  an 
undeniable  signature,  then  B is  unable  to  prove  (at  some  later  date)  to  anyone  that  A 
used  the  facility  without  ,4's  direct  involvement  in  the  signature  verification  process. 

(ii)  Suppose  some  large  corporation  A creates  a software  package.  A signs  the  package 
and  sells  it  to  entity  B , who  decides  to  make  copies  of  this  package  and  resell  it  to  a 
third  party  C.  C is  unable  to  verify  the  authenticity  of  the  software  without  the  coop- 
eration of  A.  Of  course,  this  scenario  does  not  prevent  B from  re-signing  the  package 
with  its  own  signature  but  the  marketing  advantage  associated  with  corporation  A’s 
name  is  lost  to  B.  It  will  also  be  easier  to  trace  the  fraudulent  activity  of  B.  □ 


11.121  Algorithm  Key  generation  for  Algorithm  11.122 

SUMMARY:  each  entity  selects  a private  key  and  corresponding  public  key. 

Each  entity  A should  do  the  following: 

1.  Select  a random  prime  p = 2q  + 1 where  q is  also  a prime. 

2.  (Select  a generator  a for  the  subgroup  of  order  q in  zp 

2.1  Select  a random  element  (3  £ Z*  and  compute  a = moci  p 

2.2  If  a = 1 then  go  to  step  2.1. 

3.  Select  a random  integer  a E {1, 2, . . . , q — 1}  and  compute  y = aa  mod  p. 

4.  A’s  public  key  is  (p,  a,  y)\  A’s  private  key  is  a. 


11.122  Algorithm  Chaum-van  Antwerpen  undeniable  signature  scheme 

SUMMARY:  A signs  a message  m belonging  to  the  subgroup  of  order  q in  z;.  Any  entity 
B can  verify  this  signature  with  the  cooperation  of  A. 

1.  Signature  generation.  Entity  A should  do  the  following: 

(a)  Compute  s = ma  mod  p. 

(b)  A’s  signature  on  message  m is  s. 

2.  Verification.  The  protocol  for  B to  verify  A’s  signature  s on  m is  the  following: 

(a)  B obtains  A’s  authentic  public  key  ( p , a,  y). 

(b)  B selects  random  secret  integers  xi,  X2  & {1,  2, . . , , q — 1}. 

(c)  B computes  z = sXlyX2  mod  p and  sends  z to  A. 

(d)  A computes  w=(z)a  1 mod  p (where  aa = 1 (mod  q))  and  sends  w to  B. 

(e)  B computes  w'  = mXlaX2  mod  p and  accepts  the  signature  if  and  only  if  w = 
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Proof  that  signature  verification  works. 

w = (z)a  1 = (sXlyX2)a  1 = ( rnaXlaaX2)a  1 = mXlaX2  = w'  modp, 
as  required. 

Fact  11.123  states  that,  with  high  probability,  an  adversary  is  unable  to  cause  B to  ac- 
cept a fraudulent  signature. 

Fact  {detecting  forgeries  of  undeniable  signatures)  Suppose  that  s is  a forgery  of  A’s  sig- 
nature for  a message  m,  i.e.,  s f ma  mod  p.  Then  the  probability  of  B accepting  the  sig- 
nature in  Algorithm  11.122  is  only  l/q\  this  probability  is  independent  of  the  adversary’s 
computational  resources. 

Note  (disavowing  signatures)  The  signer  A could  attempt  to  disavow  a (valid)  signature 
constructed  by  Algorithm  11.122  in  one  of  three  ways: 

(i)  refuse  to  participate  in  the  verification  protocol  of  Algorithm  11.122; 

(ii)  perform  the  verification  protocol  incorrectly;  or 

(iii)  claim  a signature  a forgery  even  though  the  verification  protocol  is  successful. 
Disavowing  a signature  by  following  (i)  would  be  considered  as  an  obvious  attempt  at 
(wrongful)  repudiation,  (ii)  and  (iii)  are  more  difficult  to  guard  against,  and  require  a dis- 
avowal protocol  (Protocol  11.125). 

Protocol  1 1 . 1 25  essentially  applies  the  verification  protocol  of  Algorithm  1 1 . 1 22  twice 
and  then  performs  a check  to  verify  that  A has  performed  the  protocol  correctly. 


1 1 .1 25  Protocol  Disavowal  protocol  for  Chaum-van  Antwerpen  undeniable  signature  scheme 

SUMMARY:  this  protocol  determines  whether  the  signer  A is  attempting  to  disavow  a valid 
signature  s using  Algorithm  11.122,  or  whether  the  signature  is  a forgery. 

1.  B obtains  A’s  authentic  public  key  (p,  a,  y). 

2.  B selects  random  secret  integers  x\,  xi  € {1,2,...  , q — 1},  and  computes  z = 
sXlyX2  mod  p,  and  sends  z to  A. 

3.  A computes  w = ( z)a  mod  p (where  a a 1 = 1 (mod  q ))  and  sends  w to  B. 

4.  If  w = rnx  1 ax’2  mod  p , B accepts  the  signature  s and  the  protocol  halts. 

5.  B selects  random  secret  integers  x'-k , x'2  £ {1,2,...  . q 1},  and  computes  z'  — 
sxiyx2  mod  p,  and  sends  z'  to  A. 

6.  A computes  w'  = ( z')a  mod  p and  sends  w'  to  B. 

7.  If  w'  = mXlaX2  mod  p,  B accepts  the  signature  s and  the  protocol  halts. 

8.  B computes  c = (ro-12)'1  mod  p and  d = ( w'a^x'2)Xl  mod  p.  If  c = <•'.  then  B 
concludes  that  s is  a forgery;  otherwise,  B concludes  that  the  signature  is  valid  and 
A is  attempting  to  disavow  the  signature  s. 


Fact  11.126  states  that  Protocol  11.125  achieves  its  desired  objectives. 

11.126  Fact  Let  m be  a message  and  suppose  that  s is  A’s  (purported)  signature  on  m. 

(i)  If  s is  a forgery,  i.e.,  s f ma  mod  p,  and  if  A and  B follow  Protocol  11.125  correctly, 
then  w = w'  (and  hence,  B\  conclusion  that  s is  a forgery  is  correct). 

(ii)  Suppose  that  s is  indeed  A’s  signature  for  m,  i.e.,  s = ma  mod  p.  Suppose  that 
B follows  Protocol  11.125  correctly,  but  that  A does  not.  Then  the  probability  that 
w = w'  (and  hence  A succeeds  in  disavowing  the  signature)  is  only  1 /q. 
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11.127  Note  (security  of  undeniable  signatures) 

(i)  The  security  of  Algorithm  11.122  is  dependent  on  the  intractability  of  the  discrete 
logarithm  problem  in  the  cyclic  subgroup  of  order  q in  Z*  (see  §3.6.6). 

(ii)  Suppose  verifier  B records  the  messages  exchanged  in  step  2 of  Algorithm  11.122, 
and  also  the  random  values  x\,  x->  used  in  the  protocol.  A third  party  C should  never 
accept  this  transcript  from  B as  a verification  of  signature  s.  To  see  why  this  is  the 
case,  it  suffices  to  show  how  B could  contrive  a successful  transcript  of  step  2 of  Al- 
gorithm 11.122  without  the  signer  A’s  participation.  B chooses  a message  to,  inte- 
gers xi,  X2  and  l in  the  interval  [1,  q — 1],  and  computes  s = ((mXlaX2)1  y~X2)xi 
mod  p.  The  protocol  message  from  B to  A would  be  z = sXlyX2  mod  p , and  from 
A to  B would  be  w = zl  modp.  Algorithm  11.122  will  accept  s as  a valid  signature 
of  A for  message  to.  This  argument  demonstrates  that  signatures  can  only  be  verified 
by  interacting  directly  with  the  signer. 


1 1 .8.3  Fail-stop  signature  schemes 

Fail-stop  digital  signatures  are  digital  signatures  which  permit  an  entity  A to  prove  that  a 
signature  purportedly  (but  not  actually  ) signed  by  A is  a forgery.  This  is  done  by  showing 
that  the  underlying  assumption  on  which  the  signature  mechanism  is  based  has  been  com- 
promised. The  ability  to  prove  a forgery  does  not  rely  on  any  cryptographic  assumption,  but 
may  fail  with  some  small  probability;  this  failure  probability  is  independent  of  the  comput- 
ing power  of  the  forger.  Fail-stop  signature  schemes  have  the  advantage  that  even  if  a very 
powerful  adversary  can  forge  a single  signature,  the  forgery  can  be  detected  and  the  signing 
mechanism  no  longer  used.  Hence,  the  term  fail-then-stop  is  also  appropriate.  A fail-stop 
signature  scheme  should  have  the  following  properties: 

1 . If  a signer  signs  a message  according  to  the  mechanism,  then  a verifier  upon  checking 
the  signature  should  accept  it. 

2.  A forger  cannot  construct  signatures  that  pass  the  verification  algorithm  without  do- 
ing an  exponential  amount  of  work. 

3.  If  a forger  succeeds  in  constructing  a signature  which  passes  the  verification  test  then, 
with  high  probability,  the  true  signer  can  produce  a proof  of  forgery. 

4.  A signer  cannot  construct  signatures  which  are  at  some  later  time  claimed  to  be  for- 
geries. 

Algorithm  1 1 . 1 30  is  an  example  of  a fail-stop  mechanism.  As  described,  it  is  a one-time  sig- 
nature scheme,  but  there  are  ways  to  generalize  it  to  allow  multiple  signings;  using  authen- 
tication trees  is  one  possibility  (see  §11.6.3).  The  proof-of-forgery  algorithm  is  presented 
in  Algorithm  11.134. 


11.128  Algorithm  Key  generation  for  Algorithm  11.130 

SUMMARY:  key  generation  is  divided  between  entity  A and  a trusted  third  party  (TTP). 

1.  The  TTP  should  do  the  following: 

(a)  Select  primes  p and  q such  that  q divides  (p  — 1)  and  the  discrete  logarithm 
problem  in  Z*  is  intractable. 

(b)  (Select  a generator  a for  the  cyclic  subgroup  G of  z;  having  order  q.) 

(i)  Select  a random  element  g E Z*  and  compute  a = gG~l)/q  moc[  p _ 

(ii)  If  a = 1 then  go  to  step  (i). 
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(c)  Select  a random  integer  a,  1 < a < q — 1,  and  compute  fi  = a"  mod  p.  The 
integer  a is  kept  secret  by  the  TTP. 

(d)  Send  (p,  q,  a,  (3)  in  the  clear  to  entity  A. 

2.  Entity  A should  do  the  following: 

(a)  Select  random  secret  integers  x\,  X2,  yi,V2  in  the  interval  [0,  q — 1]. 

(b)  Compute  /3i  = aXlf3X2  and  /?2  = aVl (3y 2 modp. 

(c)  A’s  public  key  is  (/?i,  P21P,  q,  ol,  f3);  A’s  private  key  is  the  quadruple 
x = (x1,x2,yi,y2)- 


11.129  Note  ( TTP’s  secret  information ) Assuming  that  the  discrete  logarithm  problem  in  the  sub- 
group of  order  q in  Z*  is  intractable  in  Algorithm  11.128,  the  only  entity  which  knows  a, 
the  discrete  logarithm  of  /3  to  the  base  a,  is  the  TTP. 


11.130  Algorithm  Fail-stop  signature  scheme  (van  Heijst-Pedersen) 

SUMMARY:  this  is  a one-time  digital  signature  scheme  whose  security  is  based  on  the  dis- 
crete logarithm  problem  in  the  subgroup  of  order  q in  K- 

1.  Signature  generation.  To  sign  a message  me  [0  ,q—  1],  A should  do  the  following: 

(a)  Compute  sijT7!,  = x\  + myi  mod  q and  S2 = X2  + mp2  mod  q. 

(b)  A’s  signature  for  m is  (sijTO,  <S2,m)- 

2.  Verification.  To  verify  A’s  signature  (s ijm,  S2,m)  on  m,  B should  do  the  following: 

(a)  Obtain  A’s  authentic  public  key  (/3i,  02, P,  <h  ol , (3). 

(b)  Compute  v\  = f3i  fUff  modp  and  V2  = aSl-m  PS2-m  modp. 

(c)  Accept  the  signature  if  and  only  if  v\  = V2. 


Proof  that  signature  verification  works. 

Vl  = = (aXlpX2){aVlPy2)m  = aXl+myipX2+mV2 

= aSl’m /3S2’m  = v 2 (modp). 

Algorithm  11.130  is  a one-time  signature  scheme  since  A’s  private  key  x can  be  com- 
puted if  two  messages  are  signed  using  x.  Before  describing  the  algorithm  for  proof  of 
forgery  (Algorithm  11.134),  a number  of  facts  are  needed.  These  are  given  in  Fact  11.131 
and  illustrated  in  Example  11.132. 

1 1 .1 31  Fact  ( number  of  distinct  quadruples  representing  a public  key  and  a signature)  Suppose 
that  A’s  public  key  in  Algorithm  1 1 . 1 30  is  (/3i , @2 , P,  q,  ol,  (3)  and  private  key  is  the  quadru- 
ple x = (x\,  X2,  pi,  yf). 

(i)  There  are  exactly  q2  quadruples  x'  = ( x [ ,x'2,y'i,y2)  with  x[ ,x'2,y'i,y2  £ which 
yield  the  same  portion  (/3i . /'T ) of  the  public  key. 

(ii)  Let  T be  the  set  of  q2  quadruples  which  yield  the  same  portion  of  the  public  key 
(/3i , /?2 )-  For  each  m G Z9,  there  are  exactly  q quadruples  in  T which  give  the  same 
signature  (si,m,  S2,m)  for  m (where  a signature  is  as  described  in  Algorithm  11.130). 
Hence,  the  q2  quadruples  in  T give  exactly  q different  signatures  for  m. 

(iii)  Let  m'  G hq  be  a message  different  from  m.  Then  the  q quadruples  in  T which  yield 
A’s  signature  (s iim,  <S2,m)  for  m,  yield  q different  signatures  for  m' . 
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11.132  Example  (illustration  of  Fact  11.131)  Let  p = 29  and  q = 7 . a = 16  is  a generator  of 
the  subgroup  of  order  q in  Z*.  Take  f3  = a5  mod  29  = 23.  Suppose  ,4’s  private  key  is 
x = (2, 3,  5,  2);  Gl’s  public  key  is  /3i  = a2  (3 3 mod  29  = 7,  j3%  = a5/?2  mod  29  = 16. 
The  following  table  lists  the  q2  = 49  quadruples  which  give  the  same  public  key. 


1603 

2303 

3003 

4403 

5103 

6503 

0203 

1610 

2310 

3010 

4410 

5110 

6510 

0210 

1624 

2324 

3024 

4424 

5124 

6524 

0224 

1631 

2331 

3031 

4431 

5131 

6531 

0231 

1645 

2345 

3045 

4445 

5145 

6545 

0245 

1652 

2352 

3052 

4452 

5152 

6552 

0252 

1666 

2366 

3066 

4466 

5166 

6566 

0266 

If  the  49  quadruples  of  this  table  are  used  to  sign  the  message  m = 1,  exactly  q = 7 sig- 
nature pairs  (si)jn,  .s arise.  The  next  table  lists  the  possibilities  and  those  quadruples 
which  generate  each  signature. 


signature  pair 

(2,6) 

(3,3) 

(4,0) 

(5,4) 

(6,1) 

(0,5) 

(1,2) 

quadruples 

1610 

1624 

1631 

1645 

1652 

1666 

1603 

2303 

2310 

2324 

2331 

2345 

2352 

2366 

3066 

3003 

3010 

3024 

3031 

3045 

3052 

4452 

4466 

4403 

4410 

4424 

4431 

4445 

5145 

5152 

5166 

5103 

5110 

5124 

5131 

6531 

6545 

6552 

6566 

6503 

6510 

6524 

0224 

0231 

0245 

0252 

0266 

0203 

0210 

The  next  table  lists,  for  each  message  m'  € Z7,  all  signature  pairs  for  the  7 quadruples 
which  yield  Gl’s  signature  (0,  5)  for  m = 1. 


quadruple 

m! 

0 

1 

2 

3 

4 

5 

6 

1666 

16 

05 

64 

53 

42 

31 

20 

2352 

23 

05 

50 

32 

14 

66 

41 

3045 

30 

05 

43 

11 

56 

24 

62 

4431 

44 

05 

36 

60 

21 

52 

13 

5124 

51 

05 

22 

46 

63 

10 

34 

6510 

65 

05 

15 

25 

35 

45 

55 

0203 

02 

05 

01 

04 

00 

03 

06 

□ 

11.133  Note  ( probability  of  successful  forgery  in  Algorithm  11.130 ) Suppose  that  an  adversary 
(the  forger)  wishes  to  derive  Gt’s  signature  on  some  message  m! . There  are  two  possibilities 
to  consider. 

(i)  The  forger  has  access  only  to  the  signer’s  public  key  (i.e.,  the  forger  is  not  in  pos- 
session of  a message  and  valid  signature).  By  Fact  11.131(h),  the  probability  that 
the  signature  created  by  the  adversary  is  the  same  as  ,4’s  signature  for  m!  is  only 
q/q 2 = l/q\  this  probability  is  independent  of  the  adversary’s  computational  re- 
sources. 

(ii)  The  forger  has  access  to  a message  m and  a signature  (si)m,  S2,m ) created  by  the 
signer.  By  Fact  1 1 . 1 3 1 (iii),  the  probability  that  the  signature  created  by  the  adversary 
is  the  same  as  ,4's  signature  for  m'  is  only  1 /q;  again,  this  probability  is  independent 
of  the  adversary’s  computational  resources. 
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Suppose  now  that  an  adversary  has  forged  A's  signature  on  a message,  and  the  signa- 
ture passed  the  verification  stage  in  Algorithm  11.130.  The  objective  is  that  A should  be 
able  to  prove  that  this  signature  is  a forgery.  The  following  algorithm  shows  how  A can, 
with  high  probability,  use  the  forged  signature  to  derive  the  secret  a.  Since  a was  supposed 
to  have  been  known  only  to  the  TTP  (Note  11.129),  it  serves  as  proof  of  forgery. 


11.134  Algorithm  Proof-of-forgery  algorithm  for  Algorithm  11.130 

SUMMARY:  to  prove  that  a signature  s'  = (.sj  m,  s'2  m)  on  a message  m is  a forgery,  the 
signer  derives  the  integer  a = logQ  / 3 which  serves  as  proof  of  forgery. 

The  signer  (entity  A)  should  do  the  following: 

1.  Compute  a signature  pair  s = s2m)  for  message  m using  its  private  key  x 

(see  Algorithm  11.128). 

2.  If  .s  — s'  return  to  step  1 . 

3.  Compute  a = (sljm  - s'lm)  ■ (s2,m  - 4,m)-1  mod  9- 


Proof  that  Algorithm  11.134  works.  By  Fact  11.131  (iii),  the  probability  that  s = s'  in 
step  1 of  Algorithm  11.134  is  1/q.  From  the  verification  algorithm  (Algorithm  11.130), 


Sl,m  0S2,m  = 


= a(s o ™ — 


i, m/3*2, m (mod  p)  or  aSl-m  ' 

S2,m ) (mod  q).  Hence,  a = (si,m  - s'l  m 


= aa(s2 ,m  *2,m)  (m0d  p)  Or  — 


) • (s2,m  - s'2  ) 1 mod  q. 


1 1 .1 35  Remark  ( disavowing  signatures)  In  order  for  a signer  to  disavow  a signature  that  it  created 
with  Algorithm  11.134,  an  efficient  method  for  computing  logarithms  is  required. 


11.9  Notes  and  further  references 

§n.i 

The  concept  of  a digital  signature  was  introduced  in  1976  by  Diffie  and  Heilman  [344, 
345] . Although  the  idea  of  a digital  signature  was  clearly  articulated,  no  practical  realization 
emerged  until  the  1978  paper  by  Rivest,  Shamir,  and  Adleman  [1060],  Digital  signatures 
appear  to  have  been  independently  discovered  by  Merkle  [849,  850]  but  not  published  until 
1978.  One  of  Merkle's  contributions  is  discussed  in  § 1 1 .6.2.  Other  early  research  was  due 
to  Lamport  [738],  Rabin  [1022,  1023],  and  Matyas  [801], 

A detailed  survey  on  digital  signatures  is  given  by  Mitchell,  Piper,  and  Wild  [882].  A thor- 
ough discussion  of  a selected  subset  of  topics  in  the  area  is  provided  by  Stinson  [1178], 
Other  sources  which  provide  a good  overview  are  Meyer  and  Matyas  [859],  Goldwasser, 
Micali,  and  Rivest  [484],  Rivest  [1054],  and  Schneier  [1094], 

§11.2 

The  original  proposal  for  a digital  signature  scheme  by  Diffie  and  Heilman  [344]  consid- 
ered only  digital  signatures  with  message  recovery.  The  first  discussion  of  digital  signature 
schemes  with  appendix  (although  the  term  was  not  used  per  se)  appears  to  be  in  the  patent 
by  Merkle  and  Heilman  [553].  Davies  and  Price  [308]  and  Denning  [326]  give  brief  intro- 
ductions to  digital  signatures  but  restrict  the  discussion  to  digital  signature  schemes  with 
message  recovery  and  one-time  digital  signature  schemes.  Mitchell,  Piper,  and  Wild  [882] 
and  Stinson  [1178]  give  abstract  definitions  of  digital  signature  schemes  somewhat  less  gen- 
eral than  those  given  in  § 1 1 .2. 
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Excellent  discussions  on  attacks  against  signature  schemes  are  provided  by  Goldwasser, 
Micali,  and  Rivest  [484]  and  Rivest  [1054].  The  former  refers  to  the  discovery  of  a func- 
tionally equivalent  signing  algorithm  as  universal  forgery,  and  separates  chosen-message 
attacks  into  generic  chosen-message  attacks  and  directed  chosen-message  attacks. 

Many  proposed  digital  signature  schemes  have  been  shown  to  be  insecure.  Among  the  most 
prominent  of  these  are  the  Merkle-Hellman  knapsack  scheme  proposed  by  Merkle  and  Hell- 
man  [857],  shown  to  be  totally  breakable  by  Shamir  [1114];  the  Shamir  fast  signature  sch- 
eme [1109],  shown  to  be  totally  breakable  by  Odlyzko  [939];  and  the  Ong-Schnorr-Shamir 
(OSS)  scheme  [958],  shown  to  be  totally  breakable  by  Pollard  (see  Pollard  and  Schnorr 
[988]).  Naccache  [914]  proposed  a modification  of  the  Ong-Schnorr-Shamir  scheme  to 
avoid  the  earlier  attacks. 

The  RSA  signature  scheme  (Algorithm  11.19),  discovered  by  Rivest,  Shamir,  and  Adleman 
[1060],  was  the  first  practical  signature  scheme  based  on  public-key  techniques. 

The  multiplicative  property  of  RSA  (§11 ,3.2(ii))  was  first  exploited  by  Davida  [302].  Den- 
ning [327]  reports  and  expands  on  Davida’s  attack  and  credits  Moore  with  a simplification. 
Gordon  [515]  uses  the  multiplicative  property  of  RSA  to  show  how  to  create  public-key  pa- 
rameters and  associated  (forged)  certificates  if  the  signing  authority  does  not  take  adequate 
precautions.  The  existential  attack  on  RSA  signatures  having  certain  types  of  redundancy 
(Example  11.21)  is  due  tode  Jonge  and  Chaum  [313].  Evertse  and  vanHeijst  [381]  consider 
other  types  of  attacks  on  RSA  signatures  which  also  rely  on  the  multiplicative  property. 

The  reblocking  problem  (§11 ,3.3(i))  is  discussed  by  Davies  and  Price  [308],  who  attribute 
the  method  of  prescribing  the  form  of  the  modulus  to  Guillou.  An  alternate  way  of  con- 
structing an  (even)  /-hit  modulus  n = pq  having  a 1 in  the  high-order  position  followed  by 
k 0’s  is  the  following.  Construct  an  integer  u = 2*  + w2l/2  for  some  randomly  selected 
(i/2  — fe)-bit  integer  w.  Select  a (f/2)-bit  prime  p,  and  divide  p into  u to  get  a quotient 
q and  a remainder  r (i.e.,  u = pq  + r).  If  q is  a prime  number,  then  n = pq  is  an  RSA 
modulus  of  the  required  type.  For  example,  if  f = 14  and  k — 3,  let  u = 214  + w 2'  where 
in  = 11.  If  p = 89,  then  q = 199  and  n = pq  = 17711.  The  binary  representation  of  n is 
100010100101111. 

The  Rabin  public-key  signature  scheme  (Algorithm  11.25)  is  due  to  Rabin  [1023].  Verifica- 
tion of  signatures  using  the  Rabin  scheme  is  efficient  since  only  one  modular  multiplication 
is  required  (cf.  Note  11.33).  Beller  and  Yacobi  [101]  take  advantage  of  this  aspect  in  their 
authenticated  key  transport  protocol  (see  §12.5.3). 

The  modified-Rabin  signature  scheme  (Algorithm  11.30)  is  derived  from  the  RSA  variant 
proposed  by  Williams  [1246]  (see  also  page  315).  The  purpose  of  the  modification  is  to 
provide  a deterministic  procedure  for  signing.  A similar  methodology  is  incorporated  in 
ISO/IEC  9796  (§11 .3.5).  The  modified  scheme  can  be  generalized  to  other  even  public  ex- 
ponents besides  e = 2.  If  gcd(e,  (p  — l)(q  — l)/4)  = 1,  then  exponentiation  by  e is  a 
permutation  of  Qn. 

ISO/IEC  9796  [596]  became  an  international  standard  in  October  of  1991.  This  standard 
provides  examples  based  on  both  the  RSA  and  Rabin  digital  signature  mechanisms.  Al- 
though the  standard  permits  the  use  of  any  digital  signature  scheme  with  message  recovery 
which  provides  a Gbit  signature  for  a |_|  J -bit  message,  the  design  was  specifically  tailored 
for  the  RSA  and  Rabin  mechanisms.  For  design  motivation,  see  Guillou  et  al.  [525].  At  the 
time  of  publication  of  ISO/IEC  9796,  no  other  digital  signature  schemes  providing  message 
recovery  were  known,  but  since  then  several  have  been  found;  see  Koyama  et  al.  [708], 
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ISO/IEC  9796  is  effective  for  signing  messages  which  do  not  exceed  a length  determined 
by  the  signature  process.  Quisquater  [1015]  proposed  a method  for  extending  the  utility  of 
ISO/IEC  9796  to  longer  messages.  Briefly,  the  modified  scheme  is  as  follows.  Select  a one- 
way hash  function  h which  maps  bitstrings  of  arbitrary  length  to  fc-bitstrings.  If  the  signing 
capability  of  ISO/IEC  9796  is  t bits  and  m is  an  n-bit  message  where  n > t,  then  m is 
partitioned  into  two  bitstrings  mc  and  ms,  where  mc  is  (n  — t + k)  bits  long.  Compute  d = 
h(m)  and  form  m'  = ms  ||d;  m'  is  a string  of  bitlength  t.  Sign  m'  using  ISO/IEC  9796  to 
get  J.  The  signature  on  message  m is  mc\\J.  This  provides  a randomized  digital  signature 
mechanism  with  message  recovery,  where  the  hash  function  provides  the  randomization. 

§11.3.6  is  from  PKCS  #1  [1072].  This  document  describes  formatting  for  both  encryption 
and  digital  signatures  but  only  those  details  pertinent  to  digital  signatures  are  mentioned 
here.  The  specification  does  not  include  message  recovery  as  ISO/IEC  9796  does.  It  also 
does  not  specify  the  size  of  the  primes,  how  they  should  be  generated,  nor  the  size  of  public 
and  private  keys.  It  is  suggested  that  e = 3 or  e = 216  + 1 are  widely  used.  The  only 
attacks  mentioned  in  PKCS  #1  (which  the  formatting  attempts  to  prevent)  are  those  by  den 
Boer  and  Bosselaers  [324],  and  Desmedt  and  Odlyzko  [341], 

§11.4 

The  Feige-Fiat-Shamir  digital  signature  scheme  (Algorithm  11.40),  proposed  by  Feige, 
Fiat,  and  Shamir  [383],  is  a minor  improvement  of  the  Fiat-Shamir  signature  scheme  [395], 
requiring  less  computation  and  providing  a smaller  signature.  Fiat  and  Shamir  [395]  prove 
that  their  scheme  is  secure  against  existential  forgery  provided  that  factoring  is  intractable 
and  that  h is  a truly  random  function.  Feige,  Fiat,  and  Shamir  [383]  prove  that  their  modi- 
fication has  the  same  property. 

Note  11. 44  was  suggested  by  Fiat  and  Shamir  [395],  Note  11.45  is  due  to  Micali  and  Shamir 
[868],  who  suggest  that  only  the  modulus  ua  of  entity  A needs  to  be  public  if  iq , rq , ■ • ■ , Vk 
are  system-wide  parameters.  Since  all  entities  have  distinct  moduli,  it  is  unlikely  that  vj  £ 
Qn,  1 < j < k,  for  many  different  values  of  n.  To  overcome  this  problem,  Micali  and 
Shamir  claim  that  some  perturbation  of  k public  values  is  possible  to  ensure  that  the  result- 
ing values  are  quadratic  residues  with  respect  to  a particular  modulus,  but  do  not  specify 
any  method  which  provides  the  necessary  perturbation. 

The  GQ  signature  scheme  (Algorithm  11.48)  is  due  to  Guillou  and  Quisquater  [524]. 

§11.5 

The  DSA  (Algorithm  11.56)  is  due  toKravitz  [711]  and  was  proposed  as  a Federal  Informa- 
tion Processing  Standard  in  August  of  1991  by  the  U.S.  National  Institute  for  Science  and 
Technology.  It  became  the  Digital  Signature  Standard  (DSS)  in  May  1994,  as  specified  in 
FIPS  186  [406],  Smid  and  Branstad  [1157]  comment  that  the  DSA  was  selected  based  on 
a number  of  important  factors:  the  level  of  security  provided,  the  applicability  of  patents, 
the  ease  of  export  from  the  U.S.,  the  impact  on  national  security  and  law  enforcement,  and 
the  efficiency  in  a number  of  government  and  commercial  applications.  They  provide  a 
comparison  of  the  computational  efficiencies  of  DSA  and  RSA  and  address  a number  of 
negative  responses  received  during  the  FIPS  public  comment  period. 

Naccache  et  al.  [916]  describe  a number  of  techniques  for  improving  the  efficiency  of  the 
DSA.  For  example,  the  computation  of  k 1 mod  q in  step  lc  of  Algorithm  1 1 .56  can  be  re- 
placed by  the  random  generation  of  an  integer  b , the  computation  of  u = bk  mod  q and  s = 
b ■ {h(m)  + or}  mod  q.  The  signature  is  (r,  s,  u).  The  verifier  computes  u mod  q and 
u 1.s  mod  q = s.  Verification  of  the  signature  (r,  s)  now  proceeds  as  in  Algorithm  11.56. 
This  variant  might  be  useful  for  signature  generation  in  chipcard  applications  where  com- 
puting power  is  limited.  Naccache  et  al.  also  propose  the  idea  of  use  and  throw  coupons 
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which  eliminate  the  need  to  compute  r = ( ak  mod  p)  mod  q.  Since  this  exponentiation 
is  the  most  computationally  intensive  portion  of  DSA  signature  generation,  use  and  throw 
coupons  greatly  improve  efficiency.  Coupons  require  storage,  and  only  one  signature  can 
be  created  for  each  coupon.  If  storage  is  limited  (as  is  often  the  case),  only  a fixed  number 
of  DSA  signatures  can  be  created  with  this  method. 

Beguin  and  Quisquater  [82]  show  how  to  use  an  insecure  server  to  aid  in  computations  asso- 
ciated with  DSA  signature  generation  and  verification.  The  method  accelerates  the  compu- 
tation of  modular  multiplication  and  exponentiation  by  using  an  untrusted  auxiliary  device 
to  provide  the  majority  of  the  computing.  As  such,  it  also  applies  to  schemes  other  than 
DSA.  Arazi  [54]  shows  how  to  integrate  a Diffie-Hellman  key  exchange  into  the  DSA. 

The  ElGamal  digital  signature  scheme  ( Algorithm  1 1 .64)  was  proposed  in  1 984  by  ElGamal 
[368].  ElGamal  [368],  Mitchell,  Piper,  and  Wild  [882],  and  Stinson  [1178]  comment  further 
on  its  security. 

Note  11.66(iv)  is  due  to  Bleichenbacher  [153],  as  is  Note  11.67(iii),  which  is  a special  case 
of  the  following  more  general  result.  Suppose  p is  a prime,  a is  a generator  of  Z*,  and  y 
is  the  public  key  of  entity  A for  an  instance  of  the  ElGamal  signature  scheme.  Suppose 
p — 1 = bq  and  logarithms  in  the  subgroup  of  order  b in  Z*  can  be  efficiently  computed. 
Finally,  suppose  that  a generator  (3  = cq  for  some  c,  0 < c < b,  and  an  integer  t are  known 
such  that  fj1'  = a (mod  p).  For  message  to,  the  pair  (r,  s)  with  r = (3  and  s = t-  {h(m)  — 
cqz}  mod  {p  — 1)  where  z satisfies  aqz  = yq  (mod  p)  is  a signature  for  message  to  which 
will  be  accepted  by  Algorithm  1 1 .64.  Bleichenbacher  also  describes  how  a trapdoor  could 
be  constructed  for  the  ElGamal  signature  scheme  when  system-wide  parameters  p and  a 
are  selected  by  a fraudulent  trusted  third  party. 

Variations  of  the  ElGamal  signing  equation  described  in  § 1 1 .5 .2  were  proposed  by  ElGamal 
[366],  Agnew,  Mullin,  and  Vanstone  [19],  Kravitz  [711],  Schnorr  [1098],  and  Yen  and  Laih 
[1259].  Nyberg  and  Rueppel  [938]  and,  independently,  Horster  and  Petersen  [564],  placed 
these  variations  in  a much  more  general  framework  and  compared  their  various  properties. 

ElGamal  signatures  based  on  elliptic  curves  over  finite  fields  were  first  proposed  by  Koblitz 
[695]  and  independently  by  Miller  [878]  in  1985.  A variation  of  the  DSA  based  on  elliptic 
curves  and  referred  to  as  the  ECDSA  is  currently  being  drafted  for  an  IEEE  standard. 

The  Schnorr  signature  scheme  ( Algorithm  11.78),  due  to  Schnorr  [1098],  is  derived  from 
an  identification  protocol  given  in  the  same  paper  (see  § 10.4.4).  Schnorr  proposed  a prepro- 
cessing method  to  improve  the  efficiency  of  the  signature  generation  in  Algorithm  11.78. 
Instead  of  generating  a random  integer  k and  computing  ak  mod  p for  each  signature,  a 
small  number  of  integers  k,  and  aki  mod  p,  1 < i < t,  are  precomputed  and  stored,  and 
subsequently  combined  and  refreshed  for  each  signature.  De  Rooij  [315]  showed  that  this 
preprocessing  is  insecure  if  t is  small. 

Brickell  and  McCurley  [207]  proposed  a variant  of  the  Schnorr  scheme.  Their  method  uses 
a prime  p such  that  p 1 is  hard  to  factor,  a prime  divisor  q of  p 1,  and  an  element  a of  order 
q inZ*.  The  signing  equation  is  s = ae+k  mod  (p  — l)as  opposed  to  the  Schnorr  equation 
s = ae  + k mod  q.  While  computationally  less  efficient  than  Schnorr’s,  this  variant  has  the 
advantage  that  its  security  is  based  on  the  difficulty  of  two  hard  problems:  (i)  computing 
logarithms  in  the  cyclic  subgroup  of  order  q in  Z* ; and  ( ii)  factoring  p—  1 . If  either  of  these 
problems  is  hard,  then  the  problem  of  computing  logarithms  in  Z*  is  also  hard. 

Okamoto  [949]  describes  a variant  of  the  Schnorr  scheme  which  he  proves  to  be  secure, 
provided  that  the  discrete  logarithm  problem  in  Z*  is  intractable  and  that  correlation-free 
hash  functions  exist  (no  instance  of  a correlation-free  hash  function  is  yet  known).  Signa- 
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ture  generation  and  verification  are  not  significantly  more  computationally  intensive  than 
in  the  Schnorr  scheme;  however,  the  public  key  is  larger. 

The  Nyberg-Rueppel  scheme  (Algorithm  11.81)  is  due  to  Nyberg  and  Rueppel  [936],  For 
an  extensive  treatment  including  variants,  see  Nyberg  and  Rueppel  [938],  They  note  that 
unlike  RSA,  this  signature  scheme  cannot  be  used  for  encryption  since  the  signing  trans- 
formation S has  a left  inverse,  namely,  the  verification  transformation  V,  but  S is  not  the 
left  inverse  of  V;  in  other  words,  V(S(m))  = m for  all  m E Zp,  but  £(V(m))  m for 
most  m E Z p.  The  second  paper  also  defines  the  notion  of  strong  equivalence  between 
signature  schemes  (two  signature  schemes  are  called  strongly  equivalent  if  the  signature 
on  a message  to  in  one  scheme  can  be  transformed  into  the  corresponding  signature  in  the 
other  scheme,  without  knowledge  of  the  private  key),  and  discusses  how  to  modify  DSA  to 
provide  message  recovery. 

Some  digital  signature  schemes  make  it  easy  to  conceal  information  in  the  signature  which 
can  only  be  recovered  by  entities  privy  to  the  concealment  method.  Information  communi- 
cated this  way  is  said  to  be  subliminal  and  the  conveying  mechanism  is  called  a subliminal 
channel.  Among  the  papers  on  this  subject  are  those  of  Simmons  [1139,  1140,  1147,  1149]. 
Simmons  [1139]  shows  that  if  a signature  requires  l\  bits  to  convey  and  provides  l>  bits  of 
security,  then  l\  — I2  bits  are  available  for  the  subliminal  channel.  This  does  not  imply  that 
alHi  — 12  bits  can,  in  fact,  be  used  by  the  channel;  this  depends  on  the  signature  mechanism. 
If  a large  proportion  of  these  bits  are  available,  the  subliminal  channel  is  said  to  be  broad- 
band; otherwise,  it  is  narrowband.  Simmons  [1149]  points  out  that  ElGamal-like  signature 
schemes  provide  a broadband  subliminal  channel.  For  example,  if  the  signing  equation  is 
s = fc-1  ■ {h(m)  — ar}  mod  (p  — 1)  where  a is  the  private  key  known  to  both  the  signer 
and  the  recipient  of  the  signature,  then  k can  be  used  to  carry  the  subliminal  message.  This 
has  the  disadvantage  that  the  signer  must  provide  the  recipient  with  the  private  key,  allow- 
ing the  recipient  to  sign  messages  that  will  be  accepted  as  having  originated  with  the  signer. 
Simmons  [1147]  describes  narrowband  channels  for  the  DSA. 

Rabin  [1022]  proposed  the  first  one-time  signature  scheme  (Algorithm  11.86)  in  1978. 
Lamport  [738]  proposed  a similar  mechanism,  popularized  by  Diffie  and  Heilman  [347], 
which  does  not  require  interaction  with  the  signer  for  verification.  Diffie  suggested  the  use 
of  a one-way  hash  function  to  improve  the  efficiency  of  the  method.  For  this  reason,  the 
mechanism  is  often  referred  to  as  the  Diffie -Lamport  scheme.  Lamport  [738]  also  describes 
a more  efficient  method  for  one-time  digital  signatures,  which  was  rediscovered  by  Bos 
and  Chaum  [172],  Bos  and  Chaum  provide  more  substantial  modifications  which  lead  to  a 
scheme  that  can  be  proven  to  be  existentially  unforgeable  under  adaptive  chosen-message 
attack,  provided  RSA  is  secure. 

Merkle’s  one-time  signature  scheme  (Algorithm  11.92)  is  due  to  Merkle  [853];  see  also 
§15.2. 3(vi).  The  modification  described  in  Note  1 1 .95  is  attributed  by  Merkle  [853]  to  Win- 
ternitz.  Bleichenbacher  and  Maurer  [155]  generalize  the  methods  of  Lamport,  Merkle,  and 
Winternitz  through  directed  acyclic  graphs  and  one-way  functions. 

Authentication  trees  were  introduced  by  Merkle  [850,  852,  853]  at  the  time  when  public- 
key  cryptography  was  in  its  infancy.  Since  public-key  cryptography  and,  in  particular,  dig- 
ital signatures  had  not  yet  been  carefully  scrutinized,  it  seemed  prudent  to  devise  alternate 
methods  for  providing  authentication  over  insecure  channels.  Merkle  [853]  suggests  that 
authentication  trees  provide  as  much  versatility  as  public-key  techniques  and  can  be  quite 
practical.  An  authentication  tree,  constructed  by  a single  user  to  authenticate  a large  num- 
ber of  public  values,  requires  the  user  to  either  regenerate  the  authentication  path  values 
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at  the  time  of  use  or  to  store  all  authentication  paths  and  values  in  advance.  Merkle  [853] 
describes  a method  to  minimize  the  storage  requirements  if  public  values  are  used  in  a pre- 
scribed order. 

The  GMR  scheme  (Algorithm  11.102)  is  due  to  Goldwasser,  Micali,  and  Rivest  [484],  who 
introduced  the  notion  of  a claw-free  pair  of  permutations,  and  described  the  construction  of 
a claw-free  pair  of  permutations  (Example  11.99)  based  on  the  integer  factorization  prob- 
lem. Combining  the  one-time  signature  scheme  with  tree  authentication  gives  a digital  sig- 
nature mechanism  which  Goldwasser,  Micali  and  Rivest  prove  existentially  unforgeable  un- 
der an  adaptive  chosen-message  attack.  In  order  to  make  their  scheme  more  practical,  the 
tree  authentication  structure  is  constructed  in  such  a way  that  the  system  must  retain  some 
information  about  preceding  signatures  (i.e.,  memory  history  is  required).  Goldreich  [465] 
suggested  modifications  to  both  the  general  scheme  and  the  example  based  on  integer  fac- 
torization (Example  1 1 .99),  removing  the  memory  constraint  and,  in  the  latter,  improving 
the  efficiency  of  the  signing  procedure.  Bellare  and  Micali  [92]  generalized  the  GMR  sch- 
eme by  replacing  the  claw-free  pair  of  permutations  by  any  trapdoor  one-way  permutation 
(the  latter  requiring  a weaker  cryptographic  assumption).  Naor  and  Yung  [920]  further  gen- 
eralized the  scheme  by  requiring  only  the  existence  of  a one-way  permutation.  The  most 
general  result  is  due  to  Rompel  [1068],  who  proved  that  digital  signature  schemes  which 
are  secure  against  an  adaptive  chosen-message  attack  exist  if  and  only  if  one-way  functions 
exist.  Although  attractive  in  theory  (due  to  the  fact  that  secure  digital  signatures  can  be  re- 
duced to  the  study  of  a single  structure),  none  of  these  methods  seem  to  provide  techniques 
as  efficient  as  RSA  and  other  methods  which,  although  their  security  has  yet  to  be  proven 
rigorously,  have  withstood  all  attacks  to  date. 

On-line/off-line  digital  signatures  (see  also  §15.2.3(ix))  were  introduced  by  Even,  Goldre- 
ich, and  Micali  [377,  378]  as  a means  to  speed  up  the  signing  process  in  applications  where 
computing  resources  are  limited  and  time  to  sign  is  critical  (e.g.,  chipcard  applications).  The 
method  uses  both  one-time  digital  signatures  and  digital  signatures  arising  from  public-key 
techniques  (e.g.,  RSA,  Rabin,  DSA).  The  off-line  portion  of  the  signature  generation  is  to 
create  a set  of  validation  parameters  for  a one-time  signature  scheme  such  as  the  Merkle  sch- 
eme (Algorithm  1 1 .92),  and  to  hash  this  set  and  sign  the  resulting  hash  value  using  a public- 
key  signature  scheme.  Since  the  public-key  signature  scheme  is  computationally  more  in- 
tensive, it  is  done  off-line.  The  off-line  computations  are  independent  of  the  message  to  be 
signed.  The  on-line  portion  is  to  sign  the  message  using  the  one-time  signature  scheme  and 
the  validation  parameters  which  were  constructed  off-line;  this  part  of  the  signature  process 
is  very  efficient.  Signatures  are  much  longer  than  would  be  the  case  if  only  the  public-key 
signature  mechanism  were  used  to  sign  the  message  directly  and,  consequently,  bandwidth 
requirements  are  a disadvantage  of  this  procedure. 

The  arbitrated  digital  signature  scheme  of  Algorithm  11.109  is  from  Davies  and  Price  [308], 
based  on  work  by  Needham  and  Schroeder  [923]. 

ESIGN  (Algorithm  11.113;  see  also  §15.2.2(i)),  proposed  by  Okamoto  and  Shiraishi  [953], 
was  motivated  by  the  signature  mechanism  OSS  devised  earlier  by  Ong,  Schnorr,  and  Sha- 
mir [958],  The  OSS  scheme  was  shown  to  be  insecure  by  Pollard  in  a private  communi- 
cation. Ong,  Schnorr,  and  Shamir  [958]  modified  their  original  scheme  but  this  too  was 
shown  insecure  by  Estes  et  al.  [374],  ESIGN  bases  its  security  on  the  integer  factorization 
problem  and  the  problem  of  solving  polynomial  inequalities.  The  original  version  [953] 
proposed  k = 2 as  the  appropriate  value  for  the  public  key.  Brickell  and  DeLaurentis  [202] 
demonstrated  that  this  choice  was  insecure.  Their  attack  also  extends  to  the  case  k = 3; 
see  Brickell  and  Odlyzko  [209,  p.516].  Okamoto  [948]  revised  the  method  by  requiring 
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k > 4.  No  weaknesses  for  these  values  of  k have  been  reported  in  the  literature.  Fujioka, 
Okamoto,  and  Miyaguchi  [428]  describe  an  implementation  of  ESIGN  which  suggests  that 
it  is  twenty  times  faster  than  RSA  signatures  with  comparable  key  and  signature  lengths. 

Blind  signatures  (§11.8.1)  were  introduced  by  Chaum  [242],  who  described  the  concept, 
desired  properties,  and  a protocol  for  untraceable  payments.  The  first  concrete  realization 
of  the  protocol  ( Protocol  1 1 . 1 1 9)  was  by  Chaum  [243] . Chaum  and  Pedersen  [25 1 ] provide 
a digital  signature  scheme  which  is  a variant  of  the  ElGamal  signature  mechanism  (§11 .5.2), 
using  a signing  equation  similar  to  the  Schnorr  scheme  (§11 .5.3),  but  computationally  more 
intensive  for  both  signing  and  verification.  This  signature  technique  is  then  used  to  provide 
a blind  signature  scheme. 

The  concept  of  a blind  signature  was  extended  by  Chaum  [245]  to  blinding  for  unantici- 
pated signatures.  Camenisch,  Piveteau,  and  Stadler  [228]  describe  a blind  signature  pro- 
tocol based  on  the  DSA  (Algorithm  11.56)  and  one  based  on  the  Nyberg-Rueppel  scheme 
(Algorithm  11.81).  Horster,  Petersen,  and  Michels  [563]  consider  a number  of  variants  of 
these  protocols.  Stadler,  Piveteau,  and  Camenisch  [1166]  extend  the  idea  of  a blind  signa- 
ture to  a fair  blind  signature  where  the  signer  in  cooperation  with  a trusted  third  party  can 
link  the  message  and  signature,  and  trace  the  sender. 

Chaum,  Fiat,  and  Naor  [250]  propose  a scheme  for  untraceable  electronic  cash,  which  al- 
lows a participant  A to  receive  an  electronic  cash  token  from  a bank.  A can  subsequently 
spend  the  token  at  a shop  B,  which  need  not  be  on-line  with  the  bank  to  accept  and  verify 
the  authenticity  of  the  token.  When  the  token  is  cashed  at  the  bank  by  B , the  bank  is  unable 
to  associate  it  with  A.  If,  however,  A attempts  to  spend  the  token  twice  ( double-spending ), 
A’s  identity  is  revealed.  Okamoto  [951]  proposes  a divisible  electronic  cash  scheme.  A di- 
visible electronic  coin  is  an  element  which  has  some  monetary  value  associated  with  it,  and 
which  can  be  used  to  make  electronic  purchases  many  times,  provided  the  total  value  of  all 
transactions  does  not  exceed  the  value  of  the  coin. 

Undeniable  signatures  (§11 .8.2)  were  first  introduced  by  Chaum  and  van  Antwerpen  [252], 
along  with  a disavowal  protocol  (Protocol  11.125).  Chaum  [246]  shows  how  to  modify 
the  verification  protocol  for  undeniable  signatures  (step  2 of  Algorithm  1 1 .122)  to  obtain  a 
zero-knowledge  verification. 

One  shortcoming  of  undeniable  signature  schemes  is  the  possibility  that  the  signer  is  un- 
available or  refuses  to  co-operate  so  that  the  signature  cannot  be  verified  by  a recipient. 
Chaum  [247]  proposed  the  idea  of  a designated  confirmer  signature  where  the  signer  des- 
ignates some  entity  as  a confirmer  of  its  signature.  If  the  signer  is  unavailable  or  refuses  to 
co-operate,  the  confirmer  has  the  ability  to  interact  with  a recipient  of  a signature  in  order  to 
verify  it.  The  confirmer  is  unable  to  create  signatures  for  the  signer.  Chaum  [247]  describes 
an  example  of  designated  confirmer  signatures  based  on  RSA  encryption.  Okamoto  [950] 
provides  a more  indepth  analysis  of  this  technique  and  gives  other  realizations. 

A convertible  undeniable  digital  signature,  introduced  by  Boyar  et  al.  [181],  is  an  unde- 
niable signature  (§11.8.2)  with  the  property  that  the  signer  A can  reveal  a secret  piece  of 
information,  causing  all  undeniable  signatures  signed  by  A to  become  ordinary  digital  sig- 
natures. These  ordinary  digital  signatures  can  be  verified  by  anyone  using  only  the  public 
key  of  A and  requiring  no  interaction  with  A in  the  verification  process;  i.e.,  the  signatures 
become  self-authenticating.  This  secret  information  which  is  made  available  should  not 
permit  anyone  to  create  new  signatures  which  will  be  accepted  as  originating  from  A.  As 
an  application  of  this  type  of  signature,  consider  the  following  scenario.  Entity  A signs  all 
documents  during  her  lifetime  with  convertible  undeniable  signatures.  The  secret  piece  of 
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information  needed  to  convert  these  signatures  to  self-authenticating  signatures  is  placed  in 
trust  with  her  lawyer  B.  After  the  death  of  A , the  lawyer  can  make  the  secret  information 
public  knowledge  and  all  signatures  can  be  verified.  B does  not  have  the  ability  to  alter 
or  create  new  signatures  on  behalf  of  A.  Boyar  et  al.  [181]  give  a realization  of  the  con- 
cept of  convertible  undeniable  signatures  using  ElGamal  signatures  (§11.5.2)  and  describe 
how  one  can  reveal  information  selectively  to  convert  some,  but  not  all,  previously  created 
signatures  to  self-authenticating  ones. 

Chaum,  van  Heijst,  and  Pfitzmann  [254]  provide  a method  for  constructing  undeniable  sig- 
natures which  are  unconditionally  secure  for  the  signer. 

Fail-stop  signatures  were  introduced  by  Waidner  and  Pfitzmann  [1227]  and  formally  de- 
fined by  Pfitzmann  and  Waidner  [971].  The  first  constructions  for  fail-stop  signatures  used 
claw-free  pairs  of  permutations  (Definition  11.98)  and  one-time  signature  methods  (see 
Pfitzmann  and  Waidner  [972]).  More  efficient  techniques  were  provided  by  van  Heijst  and 
Pedersen  [1201],  whose  construction  is  the  basis  for  Algorithm  11.130;  they  describe  three 
methods  for  extending  the  one-time  nature  of  the  scheme  to  multiple  signings.  Van  Heijst, 
Pedersen,  and  Pfitzmann  [1202]  extended  the  idea  of  van  Heijst  and  Pedersen  to  fail-stop 
signatures  based  on  the  integer  factorization  problem. 

Damgard  [298]  proposed  a signature  scheme  in  which  the  signer  can  gradually  and  verifi- 
ably  release  the  signature  to  a verifier. 

Chaum  and  van  Heijst  [253]  introduced  the  concept  of  a group  signature.  A group  signature 
has  the  following  properties:  (i)  only  members  of  a predefined  group  can  sign  messages;  (ii) 
anyone  can  verify  the  validity  of  a signature  but  no  one  is  able  to  identify  which  member  of 
the  group  signed;  and  (iii)  in  case  of  disputes,  the  signature  can  be  opened  (with  or  without 
the  help  of  group  members)  to  reveal  the  identity  of  the  group  member  who  signed  it.  Chen 
and  Pedersen  [255]  extended  this  idea  to  provide  group  signatures  with  additional  function- 
ality. 
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12.1  Introduction 

This  chapter  considers  key  establishment  protocols  and  related  cryptographic  techniques 
which  provide  shared  secrets  between  two  or  more  parties,  typically  for  subsequent  use 
as  symmetric  keys  for  a variety  of  cryptographic  purposes  including  encryption,  message 
authentication,  and  entity  authentication.  The  main  focus  is  two-party  key  establishment, 
with  the  aid  of  a trusted  third  party  in  some  cases.  While  many  concepts  extend  naturally  to 
multi-party  key  establishment  including  conference  keying  protocols,  such  protocols  rapid- 
ly become  more  complex,  and  are  considered  here  only  briefly,  as  is  the  related  area  of  secret 
sharing.  Broader  aspects  of  key  management,  including  distribution  of  public  keys,  certifi- 
cates, and  key  life  cycle  issues,  are  deferred  to  Chapter  13. 

Relationships  to  other  cryptographic  techniques.  Key  establishment  techniques  known 
as  key  transport  mechanisms  directly  employ  symmetric  encryption  (Chapter  7)  or  public- 
key  encryption  (Chapter  8).  Authenticated  key  transport  may  be  considered  a special  case 
of  message  authentication  (Chapter  9)  with  privacy,  where  the  message  includes  a cryp- 
tographic key.  Many  key  establishment  protocols  based  on  public-key  techniques  employ 
digital  signatures  (Chapter  11)  for  authentication.  Others  are  closely  related  to  techniques 
for  identification  (Chapter  10). 


Chapter  outline 

The  remainder  of  this  chapter  is  organized  as  follows.  §12.2  provides  background  mate- 
rial including  a general  classification,  basic  definitions  and  concepts,  and  a discussion  of 
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objectives.  §12.3  and  §12.4  discuss  key  transport  and  agreement  protocols,  respectively, 
based  on  symmetric  techniques;  the  former  includes  several  protocols  involving  an  on-line 
trusted  third  party.  §12.5  and  §12.6  discuss  key  transport  and  agreement  protocols,  respec- 
tively, based  on  asymmetric  techniques;  the  former  includes  protocols  based  on  public-key 
encryption,  some  of  which  also  employ  digital  signatures,  while  the  latter  includes  selected 
variations  of  Diffie-Hellman  key  agreement.  §12.7  and  §12.8  consider  secret  sharing  and 
conference  keying,  respectively.  §12.9  addresses  the  analysis  of  key  establishment  proto- 
cols and  standard  attacks  which  must  be  countered.  §12.10  contains  chapter  notes  with  ref- 
erences. 

The  particular  protocols  discussed  provide  a representative  subset  of  the  large  number 
of  practical  key  establishment  protocols  proposed  to  date,  selected  according  to  a number 
of  criteria  including  historical  significance,  distinguishing  merits,  and  practical  utility,  with 
particular  emphasis  on  the  latter. 


12.2  Classification  and  framework 


12.2.1  General  classification  and  fundamental  concepts 

12.1  Definition  A protocol  is  a multi-party  algorithm,  defined  by  a sequence  of  steps  precisely 
specifying  the  actions  required  of  two  or  more  parties  in  order  to  achieve  a specified  objec- 
tive. 

12.2  Definition  Key  establishment  is  a process  or  protocol  whereby  a shared  secret  becomes 
available  to  two  or  more  parties,  for  subsequent  cryptographic  use. 

Key  establishment  may  be  broadly  subdivided  into  key  transport  and  key  agreement, 
as  defined  below  and  illustrated  in  Figure  12.1. 

1 2.3  Definition  A key  transport  protocol  or  mechanism  is  a key  establishment  technique  where 
one  party  creates  or  otherwise  obtains  a secret  value,  and  securely  transfers  it  to  the  other(s). 

12.4  Definition  A key  agreement  protocol  or  mechanism  is  a key  establishment  technique  in 
which  a shared  secret  is  derived  by  two  (or  more)  parties  as  a function  of  information  con- 
tributed by,  or  associated  with,  each  of  these,  (ideally)  such  that  no  party  can  predetermine 
the  resulting  value. 

Additional  variations  beyond  key  transport  and  key  agreement  exist,  including  various 
forms  of  key  update,  such  as  key  derivation  in  §12.3.1. 

Key  establishment  protocols  involving  authentication  typically  require  a set-up  phase 
whereby  authentic  and  possibly  secret  initial  keying  material  is  distributed.  Most  protocols 
have  as  an  objective  the  creation  of  distinct  keys  on  each  protocol  execution.  In  some  cases, 
the  initial  keying  material  pre-defines  a fixed  key  which  will  result  every  time  the  protocol  is 
executed  by  a given  pair  or  group  of  users.  Systems  involving  such  static  keys  are  insecure 
under  known-key  attacks  (Definition  12.17). 

1 2.5  Definition  Key  pre-distribution  schemes  are  key  establishment  protocols  whereby  the  re- 
sulting established  keys  are  completely  determined  a priori  by  initial  keying  material.  In 
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contrast,  dynamic  key  establishment  schemes  are  those  whereby  the  key  established  by  a 
fixed  pair  (or  group)  of  users  varies  on  subsequent  executions. 

Dynamic  key  establishment  is  also  referred  to  as  session  key  establishment.  In  this  case 
the  session  keys  are  dynamic,  and  it  is  usually  intended  that  the  protocols  are  immune  to 
known-key  attacks. 


symmetric 

techniques 


asymmetric 

techniques 


key  establishment 

key  transport 

key  agreement 

4 


dynamic 

key  establishment 


4 


key 

pre-distribution 


Figure  12.1:  Simplified  classification  of  key  establishment  techniques. 


Use  of  trusted  servers 

Many  key  establishment  protocols  involve  a centralized  or  trusted  party,  for  either  or  both 
initial  system  setup  and  on-line  actions  (i.e.,  involving  real-time  participation).  This  party 
is  referred  to  by  a variety  of  names  depending  on  the  role  played,  including:  trusted  third 
party,  trusted  ser\’er,  authentication  server,  key  distribution  center  (KDC),  key  translation 
center  (KTC),  and  certification  authority  (CA).  The  various  roles  and  functions  of  such 
trusted  parties  are  discussed  in  greater  detail  in  Chapter  13.  In  the  present  chapter,  discus- 
sion is  limited  to  the  actions  required  of  such  parties  in  specific  key  establishment  protocols. 

Entity  authentication,  key  authentication,  and  key  confirmation 

It  is  generally  desired  that  each  party  in  a key  establishment  protocol  be  able  to  determine 
the  true  identity  of  the  other(s)  which  could  possibly  gain  access  to  the  resulting  key,  imply- 
ing preclusion  of  any  unauthorized  additional  parties  from  deducing  the  same  key.  In  this 
case,  the  technique  is  said  (informally)  to  provide  secure  key  establishment.  This  requires 
both  secrecy  of  the  key,  and  identification  of  those  parties  with  access  to  it.  Furthermore, 
the  identification  requirement  differs  subtly,  but  in  a very  important  manner,  from  that  of 
entity  authentication  - here  the  requirement  is  knowledge  of  the  identity  of  parties  which 
may  gain  access  to  the  key,  rather  than  corroboration  that  actual  communication  has  been 
established  with  such  parties.  Table  12.1  distinguishes  various  such  related  concepts,  which 
are  highlighted  by  the  definitions  which  follow. 

While  authentication  may  be  informally  defined  as  the  process  of  verifying  that  an 
identity  is  as  claimed,  there  are  many  aspects  to  consider,  including  who,  what,  and  when. 
Entity  authentication  is  defined  in  Chapter  10  (Definition  10.1),  which  presents  protocols 
providing  entity  authentication  alone.  Data  origin  authentication  is  defined  in  Chapter  9 
(Definition  9.76),  and  is  quite  distinct. 
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Authentication  term 

Central  focus 

authentication 
entity  authentication 
data  origin  authentication 
(implicit)  key  authentication 
key  confirmation 
explicit  key  authentication 

depends  on  context  of  usage 

identity  of  a party,  and  aliveness  at  a given  instant 

identity  of  the  source  of  data 

identity  of  party  which  may  possibly  share  a key 

evidence  that  a key  is  possessed  by  some  party 

evidence  an  identified  party  possesses  a given  key 

Table  12.1 : Authentication  summary  - various  terms  and  related  concepts. 


1 2.6  Definition  Key  authentication  is  the  property  whereby  one  party  is  assured  that  no  other 
party  aside  from  a specifically  identified  second  party  (and  possibly  additional  identified 
trusted  parties)  may  gain  access  to  a particular  secret  key. 

Key  authentication  is  independent  of  the  actual  possession  of  such  key  by  the  second 
party,  or  knowledge  of  such  actual  possession  by  the  first  party;  in  fact,  it  need  not  involve 
any  action  whatsoever  by  the  second  party.  For  this  reason,  it  is  sometimes  referred  to  more 
precisely  as  (implicit)  key  authentication. 

12.7  Definition  Key  confirmation  is  the  property  whereby  one  party  is  assured  that  a second 
(possibly  unidentified)  party  actually  has  possession  of  a particular  secret  key. 

12.8  Definition  Explicit  key  authentication  is  the  property  obtained  when  both  (implicit)  key 
authentication  and  key  confirmation  hold. 

In  the  case  of  explicit  key  authentication,  an  identified  party  is  known  to  actually  pos- 
sess a specified  key,  a conclusion  which  cannot  otherwise  be  drawn.  Encryption  applica- 
tions utilizing  key  establishment  protocols  which  offer  only  implicit  key  authentication  of- 
ten begin  encryption  with  an  initial  known  data  unit  serving  as  an  integrity  check- word,  thus 
moving  the  burden  of  key  confirmation  from  the  establishment  mechanism  to  the  applica- 
tion. 

The  focus  in  key  authentication  is  the  identity  of  the  second  party  rather  than  the  value 
of  the  key,  whereas  in  key  confirmation  the  opposite  is  true.  Key  confirmation  typically 
involves  one  party  receiving  a message  from  a second  containing  evidence  demonstrating 
the  latter’s  possession  of  the  key.  In  practice,  possession  of  a key  may  be  demonstrated  by 
various  means,  including  producing  a one-way  hash  of  the  key  itself,  use  of  the  key  in  a 
(keyed)  hash  function,  and  encryption  of  a known  quantity  using  the  key.  These  techniques 
may  reveal  some  information  (albeit  possibly  of  no  practical  consequence)  about  the  value 
of  the  key  itself;  in  contrast,  methods  using  zero-knowledge  techniques  (cf.  §10.4.1)  allow 
demonstration  of  possession  of  a key  while  providing  no  additional  information  (beyond 
that  previously  known)  regarding  its  value. 

Entity  authentication  is  not  a requirement  in  all  protocols.  Some  key  establishment 
protocols  (such  as  unauthenticated  Diffie-Hellman  key  agreement)  provide  none  of  entity 
authentication,  key  authentication,  and  key  confirmation.  Unilateral  key  confirmation  may 
always  be  added  e.g.,  by  including  a one-way  hash  of  the  derived  key  in  a final  message. 

12.9  Definition  An  authenticated  key  establishment  protocol  is  a key  establishment  protocol 
(Definition  12.2)  which  provides  key  authentication  (Definition  12.6). 
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12.10  Remark  ( combining  entity  authentication  and  key  establishment)  In  a key  establishment 
protocol  which  involves  entity  authentication,  it  is  critical  that  the  protocol  be  constructed 
to  guarantee  that  the  party  whose  identity  is  thereby  corroborated  is  the  same  party  with 
which  the  key  is  established.  When  this  is  not  so,  an  adversary  may  enlist  the  aid  of  an 
unsuspecting  authorized  party  to  carry  out  the  authentication  aspect,  and  then  impersonate 
that  party  in  key  establishment  (and  subsequent  communications). 

Identity-based  and  non-interactive  protocols 

Motivation  for  identity-based  systems  is  provided  in  §13.4.3. 

12.11  Definition  A key  establishment  protocol  is  said  to  be  identity-based  if  identity  informa- 
tion (e.g.,  name  and  address,  or  an  identifying  index)  of  the  party  involved  is  used  as  the 
party’s  public  key.  A related  idea  (see  §13.4.4)  involves  use  of  identity  information  as  an 
input  to  the  function  which  determines  the  established  key. 

Identity-based  authentication  protocols  may  be  defined  similarly. 

12.12  Definition  A two-party  key  establishment  protocol  is  said  to  be  message-independent  if 
the  messages  sent  by  each  party  are  independent  of  any  per-session  time-variant  data  (dy- 
namic data)  received  from  other  parties. 

Message-independent  protocols  which  furthermore  involve  no  dynamic  data  in  the  key 
computation  are  simply  key  pre-distribution  schemes  (Definition  12.5).  In  general,  dynamic 
data  (e.g.,  that  received  from  another  party)  is  involved  in  the  key  computation,  even  in 
message-independent  protocols. 

12.13  Remark  ( message-independent  vs.  non-interactive)  Message-independent  protocols  incl- 
ude non-interactive  protocols  (zero-pass  and  one-pass  protocols,  i.e.,  those  involving  zero 
or  one  message  but  no  reply),  as  well  as  some  two-pass  protocols.  Regarding  inter-party 
communications,  some  specification  (explicit  or  otherwise)  of  the  parties  involved  in  key 
establishment  is  necessary  even  in  zero-pass  protocols.  More  subtlely,  in  protocols  involv- 
ing 1 users  identified  by  a vector  (i\. . . . . it  ),  the  ordering  of  indices  may  determine  distinct 
keys.  In  other  protocols  (e.g.,  basic  Diffie-Hellman  key  agreement  or  Protocol  12.53),  the 
cryptographic  data  in  one  party’s  message  is  independent  of  both  dynamic  data  in  other  par- 
ties’ messages  and  of  all  party-specific  data  including  public  keys  and  identity  information. 


12.2.2  Objectives  and  properties 

Cryptographic  protocols  involving  message  exchanges  require  precise  definition  of  both  the 
messages  to  be  exchanged  and  the  actions  to  be  taken  by  each  party.  The  following  types 
of  protocols  may  be  distinguished,  based  on  objectives  as  indicated: 

1 . authentication  protocol  - to  provide  to  one  party  some  degree  of  assurance  regarding 
the  identity  of  another  with  which  it  is  purportedly  communicating; 

2.  key  establishment  protocol  - to  establish  a shared  secret; 

3.  authenticated  key  establishment  protocol  - to  establish  a shared  secret  with  a party 
whose  identity  has  been  (or  can  be)  corroborated. 
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Motivation  for  use  of  session  keys 

Key  establishment  protocols  result  in  shared  secrets  which  are  typically  called,  or  used  to 
derive,  session  keys.  Ideally,  a session  key  is  an  ephemeral  secret,  i.e.,  one  whose  use  is 
restricted  to  a short  time  period  such  as  a single  telecommunications  connection  (or  ses- 
sion), after  which  all  trace  of  it  is  eliminated.  Motivation  for  ephemeral  keys  includes  the 
following: 

1 . to  limit  available  ciphertext  (under  a fixed  key)  for  cryptanalytic  attack; 

2.  to  limit  exposure,  with  respect  to  both  time  period  and  quantity  of  data,  in  the  event 
of  (session)  key  compromise; 

3.  to  avoid  long-term  storage  of  a large  number  of  distinct  secret  keys  (in  the  case  where 
one  terminal  communicates  with  a large  number  of  others),  by  creating  keys  only 
when  actually  required; 

4.  to  create  independence  across  communications  sessions  or  applications. 

It  is  also  desirable  in  practice  to  avoid  the  requirement  of  maintaining  state  information 
across  sessions. 

Types  of  assurances  and  distinguishing  protocol  characteristics 

When  designing  or  selecting  a key  establishment  technique  for  use,  it  is  important  to  con- 
sider what  assurances  and  properties  an  intended  application  requires.  Distinction  should 
be  made  between  functionality  provided  to  a user,  and  technical  characteristics  which  dis- 
tinguish mechanisms  at  the  implementation  level.  (The  latter  are  typically  of  little  interest 
to  the  user,  aside  from  cost  and  performance  implications.)  Characteristics  which  differen- 
tiate key  establishment  techniques  include: 

1.  nature  of  the  authentication.  Any  combination  of  the  following  may  be  provided: 
entity  authentication,  key  authentication,  and  key  confirmation. 

2.  reciprocity  of  authentication.  When  provided,  each  of  entity  authentication,  key  au- 
thentication, and  key  confirmation  may  be  unilateral  or  mutual  (provided  to  one  or 
both  parties,  respectively). 

3.  key  freshness.  A key  is  fresh  (from  the  viewpoint  of  one  party)  if  it  can  be  guaranteed 
to  be  new,  as  opposed  to  possibly  an  old  key  being  reused  through  actions  of  either 
an  adversary  or  authorized  party.  This  is  related  to  key  control  (below). 

4.  key  control.  In  some  protocols  (key  transport),  one  party  chooses  a key  value.  In  oth- 
ers ( key  agreement),  the  key  is  derived  from  joint  information,  and  it  may  be  desirable 
that  neither  party  be  able  to  control  or  predict  the  value  of  the  key. 

5.  efficiency.  Considerations  include: 

(a)  number  of  message  exchanges  (passes)  required  between  parties; 

(b)  bandwidth  required  by  messages  (total  number  of  bits  transmitted); 

(c)  complexity  of  computations  by  each  party  (as  it  affects  execution  time);  and 

(d)  possibility  of  precomputation  to  reduce  on-line  computational  complexity. 

6.  third  party  requirements.  Considerations  include  (see  §13.2.4): 

(a)  requirement  of  an  on-line  (real-time),  off-line,  or  no  third  party; 

(b)  degree  of  trust  required  in  a third  party  (e.g.,  trusted  to  certify  public  keys  vs. 
trusted  not  to  disclose  long-term  secret  keys). 

7.  type  of  certificate  used,  if  any.  More  generally,  one  may  consider  the  manner  by 
which  initial  keying  material  is  distributed,  which  may  be  related  to  third  party  re- 
quirements. (This  is  often  not  of  direct  concern  to  a user,  being  an  implementation 
detail  typically  providing  no  additional  functionality.) 
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8.  non-repudiation.  A protocol  may  provide  some  type  of  receipt  that  keying  material 
has  been  exchanged. 

12.14  Remark  ( efficiency  vs.  security ) The  efficiency  and  security  of  cryptographic  techniques 
are  often  related.  For  example,  in  some  protocols  a basic  step  is  executed  repeatedly,  and 
security  increases  with  the  number  of  repetitions;  in  this  case,  the  level  of  security  attainable 
given  a fixed  amount  of  time  depends  on  the  efficiency  of  the  basic  step. 

In  the  description  of  protocol  messages,  it  is  assumed  that  when  the  claimed  source 
identity  or  source  network  address  of  a message  is  not  explicitly  included  as  a message  field, 
these  are  known  by  context  or  otherwise  available  to  the  recipient,  possibly  by  ( unspecified ) 
additional  cleartext  fields. 


12.2.3  Assumptions  and  adversaries  in  key  establishment 
protocols 

To  clarify  the  threats  protocols  may  be  subject  to,  and  to  motivate  the  need  for  specific 
protocol  characteristics,  one  requires  (as  a minimum)  an  informal  model  for  key  establish- 
ment protocols,  including  an  understanding  of  underlying  assumptions.  Attention  here  is 
restricted  to  two-party  protocols,  although  the  definitions  and  models  may  be  generalized. 

Adversaries  in  key  establishment  protocols 

Communicating  parties  or  entities  in  key  establishment  protocols  are  formally  called  prin- 
cipals, and  assumed  to  have  unique  names.  In  addition  to  legitimate  parties,  the  presence  of 
an  unauthorized  “third”  party  is  hypothesized,  which  is  given  many  names  under  various 
circumstances,  including:  adversary,  intruder,  opponent,  enemy,  attacker,  eavesdropper, 
and  impersonator. 

When  examining  the  security  of  protocols,  it  is  assumed  that  the  underlying  crypto- 
graphic mechanisms  used,  such  as  encryption  algorithms  and  digital  signatures  schemes, 
are  secure.  If  otherwise,  then  there  is  no  hope  of  a secure  protocol.  An  adversary  is  hypoth- 
esized to  be  not  a cryptanalyst  attacking  the  underlying  mechanisms  directly,  but  rather  one 
attempting  to  subvert  the  protocol  objectives  by  defeating  the  manner  in  which  such  mech- 
anisms are  combined,  i.e.,  attacking  the  protocol  itself. 

12.15  Definition  A passive  attack  involves  an  adversary  who  attempts  to  defeat  a cryptographic 
technique  by  simply  recording  data  and  thereafter  analyzing  it  (e.g.,  in  key  establishment,  to 
determine  the  session  key).  An  active  attack  involves  an  adversary  who  modifies  or  injects 
messages. 

It  is  typically  assumed  that  protocol  messages  are  transmitted  over  unprotected  {open) 
networks,  modeled  by  an  adversary  able  to  completely  control  the  data  therein,  with  the 
ability  to  record,  alter,  delete,  insert,  redirect,  reorder,  and  reuse  past  or  current  messages, 
and  inject  new  messages.  To  emphasize  this,  legitimate  parties  are  modeled  as  receiv- 
ing messages  exclusively  via  intervening  adversaries  (on  every  communication  path,  or  on 
some  subset  of  t of  n paths),  which  have  the  option  of  either  relaying  messages  unaltered  to 
the  intended  recipients,  or  carrying  out  (with  no  noticeable  delay)  any  of  the  above  actions. 
An  adversary  may  also  be  assumed  capable  of  engaging  unsuspecting  authorized  parties  by 
initiating  new  protocol  executions. 

An  adversary  in  a key  establishment  protocol  may  pursue  many  strategies,  including 
attempting  to: 
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1.  deduce  a session  key  using  information  gained  by  eavesdropping; 

2.  participate  covertly  in  a protocol  initiated  by  one  party  with  another,  and  influence  it, 
e.g.,  by  altering  messages  so  as  to  be  able  to  deduce  the  key; 

3.  initiate  one  or  more  protocol  executions  (possibly  simultaneously),  and  combine  ( in- 
terleave) messages  from  one  with  another,  so  as  to  masquerade  as  some  party  or  carry 
out  one  of  the  above  attacks; 

4.  without  being  able  to  deduce  the  session  key  itself,  deceive  a legitimate  party  regard- 
ing the  identity  of  the  party  with  which  it  shares  a key.  A protocol  susceptible  to  such 
an  attack  is  not  resilient  (see  Definition  12.82). 

In  unauthenticated  key  establishment,  impersonation  is  (by  definition)  possible.  In  entity 
authentication,  where  there  is  no  session  key  to  attack,  an  adversary’s  objective  is  to  ar- 
range that  one  party  receives  messages  which  satisfy  that  party  that  the  protocol  has  been 
run  successfully  with  a party  other  than  the  adversary. 

Distinction  is  sometimes  made  between  adversaries  based  on  the  type  of  information 
available  to  them.  An  outsider  is  an  adversary  with  no  special  knowledge  beyond  that  gen- 
erally available,  e.g.,  by  eavesdropping  on  protocol  messages  over  open  channels.  An  in- 
sider is  an  adversary  with  access  to  additional  information  (e.g.,  session  keys  or  secret  par- 
tial information),  obtained  by  some  privileged  means  (e.g.,  physical  access  to  private  com- 
puter resources,  conspiracy,  etc.).  A one-time  insider  obtains  such  information  at  one  point 
in  time  for  use  at  a subsequent  time;  a permanent  insider  has  continual  access  to  privileged 
information. 

Perfect  forward  secrecy  and  known-key  attacks 

In  analyzing  key  establishment  protocols,  the  potential  impact  of  compromise  of  various 
types  of  keying  material  should  be  considered,  even  if  such  compromise  is  not  normally 
expected.  In  particular,  the  effect  of  the  following  is  often  considered: 

1 . compromise  of  long-term  secret  (symmetric  or  asymmetric)  keys,  if  any; 

2.  compromise  of  past  session  keys. 

12.16  Definition  A protocol  is  said  to  have  perfect  forward  secrecy  if  compromise  of  long-term 
keys  does  not  compromise  past  session  keys. 

The  idea  of  perfect  forward  secrecy  (sometimes  called  break-backward  protection)  is 
that  previous  traffic  is  locked  securely  in  the  past.  It  may  be  provided  by  generating  session 
keys  by  Diffie-Hellman  key  agreement  (e.g..  Protocol  12.57),  wherein  the  Diffie-Hellman 
exponentials  are  based  on  short-term  keys.  If  long-term  secret  keys  are  compromised,  fu- 
ture sessions  are  nonetheless  subject  to  impersonation  by  an  active  adversary. 

12.17  Definition  A protocol  is  said  to  be  vulnerable  to  a known-key  attack  if  compromise  of 
past  session  keys  allows  either  a passive  adversary  to  compromise  future  session  keys,  or 
impersonation  by  an  active  adversary  in  the  future. 

Known-key  attacks  on  key  establishment  protocols  are  analogous  to  known-plaintext 
attacks  on  encryption  algorithms.  One  motivation  for  their  consideration  is  that  in  some 
environments  (e.g.,  due  to  implementation  and  engineering  decisions),  the  probability  of 
compromise  of  session  keys  may  be  greater  than  that  of  long-term  keys.  A second  motiva- 
tion is  that  when  using  cryptographic  techniques  of  only  moderate  strength,  the  possibility 
exists  that  over  time  extensive  cryptanalytic  effort  may  uncover  past  session  keys.  Finally, 
in  some  systems,  past  session  keys  may  be  deliberately  uncovered  for  various  reasons  (e.g.. 
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after  authentication,  to  possibly  detect  use  of  the  authentication  channel  as  a covert  or  hid- 
den channel). 


12.3  Key  transport  based  on  symmetric  encryption 

This  section  presents  a selection  of  key  establishment  protocols  based  on  key  transport  (i.e., 
transfer  of  a specific  key  chosen  a priori  by  one  party)  using  symmetric  encryption.  Re- 
lated techniques  involving  non-reversible  functions  are  also  presented.  Discussion  is  sub- 
divided into  protocols  with  and  without  the  use  of  a trusted  server,  as  summarized  in  Ta- 
ble 12.2.  Some  of  these  use  time-variant  parameters  (timestamps,  sequence  numbers,  or 
random  numbers)  or  nonces  as  discussed  in  §10.3.1. 


— > Properties 
l Protocol 

server  type 

use  of 
timestamps 

number  of 
messages 

point-to-point  key  update 

none 

optional 

1-3 

Shamir’s  no-key  protocol 

none 

no 

3 

Kerberos 

KDC 

yes 

4 

Needham-Schroeder  shared-key 

KDC 

no 

5 

Otway-Rees 

KDC 

no 

4 

Protocol  13.12 

KTC 

no 

3 

Table  12.2:  Key  transport  protocols  based  on  symmetric  encryption. 


12.3.1  Symmetric  key  transport  and  derivation  without  a server 

Server-less  key  transport  based  on  symmetric  techniques  may  either  require  that  the  two 
parties  in  the  protocol  initially  share  a long-term  pairwise  secret  or  not,  respectively  illus- 
trated below  by  point-to-point  key  update  techniques  and  Shamir’s  no-key  algorithm.  Other 
illustrative  techniques  are  also  given. 

(i)  Point-to-point  key  update  using  symmetric  encryption 

Point-to-point  key  update  techniques  based  on  symmetric  encryption  make  use  of  a long- 
term symmetric  key  K shared  a priori  by  two  parties  A and  13.  This  key,  initially  distributed 
over  a secure  channel  or  resulting  from  a key  pre-distribution  scheme  (e.g.,  see  Note  12.48), 
is  used  repeatedly  to  establish  new  session  keys  W . Representative  examples  of  point-to- 
point  key  transport  techniques  follow. 

Notation : taAa*  and  ua,  respectively,  denote  a random  number,  timestamp,  and  se- 
quence number  generated  by  A (see  §10.3.1).  E denotes  a symmetric  encryption  algorithm 
(see  Remark  12.19).  Optional  message  fields  are  denoted  by  an  asterisk  (*). 

1.  key  transport  with  one  pass: 

A^B:EK(rA)  (1) 

The  session  key  used  is  W = i'a.  and  both  A and  B obtain  implicit  key  authentica- 
tion. Additional  optional  fields  which  might  be  transferred  in  the  encrypted  portion 
include:  a timestamp  or  sequence  number  to  provide  a freshness  guarantee  to  B (see 
Remark  12.18);  a field  containing  redundancy,  to  provide  explicit  key  authentication 
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to  B or  facilitate  message  modification  detection  (see  Remark  12.19);  and  a target 
identifier  to  prevent  undetectable  message  replay  back  on  A immediately.  Thus: 

A^B  :EK(rA,tA*,B*)  (1') 

If  it  is  desired  that  both  parties  contribute  to  the  session  key,  B may  send  A an  analo- 
gous message,  with  the  session  key  computed  as  /(r^,  rB).  Choosing  / to  be  a one- 
way function  precludes  control  of  the  final  key  value  by  either  party,  or  an  adversary 
who  acquires  one  of  rA,rB. 

2.  key  transport  with  challenge-response: 

A^B:nB  (1) 

A — > B : EK{rA,nB,B*)  (2) 

If  a freshness  guarantee  is  desired  but  reliance  on  timestamps  is  not,  a random  number 
or  sequence  number,  denoted  nB  here,  may  be  used  to  replace  the  timestamp  in  the 
one-pass  technique;  the  cost  is  an  additional  message.  The  session  key  is  again  W = 

ta- 

If  it  is  required  that  the  session  key  W be  a function  of  inputs  from  both  parties,  A 
may  insert  a nonce  ua  preceding  nB  in  (2),  and  a third  message  may  be  added  as 
below.  (Here  r a,  rB  are  random  numbers  serving  as  keying  material,  while  n\,  nB 
are  nonces  for  freshness.) 

A^B:nB  (1) 

A — > B : EK{rA,riA,nB,B*)  (2) 

A <— B : EK(rB,  nB,riA,A*)  (3) 

12.18  Remark  (key  update  vulnerabilities)  The  key  update  techniques  above  do  not  offerperfect 
forward  secrecy,  and  fail  completely  if  the  long-term  key  K is  compromised.  For  this  rea- 
son they  may  be  inappropriate  for  many  applications.  The  one-pass  protocol  is  also  subject 
to  replay  unless  a timestamp  is  used. 

12.19  Remark  ( integrity  guarantees  within  encryption)  Many  authentication  protocols  which 
employ  encryption,  including  the  above  key  update  protocols  and  Protocols  12.24,  12.26, 
and  12.29,  require  for  security  reasons  that  the  encryption  function  has  a built-in  data  in- 
tegrity mechanism  (see  Figure  9.8(b)  for  an  example,  and  Definition  §9.75)  to  detect  mes- 
sage modification. 

(ii)  Point-to-point  key  update  by  key  derivation  and  non-reversible  functions 

Key  update  may  be  achieved  by  key  transport  as  above,  or  by  key  derivation  wherein  the 
derived  session  key  is  based  on  per-session  random  input  provided  by  one  party.  In  this 
case,  there  is  also  a single  message: 

A^B:rA  (1) 

The  session  key  is  computed  as  W = E B (r  a ) ■ The  technique  provides  to  both  A and  B 
implicit  key  authentication.  It  is,  however,  susceptible  to  known-key  attacks;  Remark  12.18 
similarly  applies.  The  random  number  ta  here  may  be  replaced  by  other  time-variant  pa- 
rameters; for  example,  a timestamp  Ia  validated  by  the  recipient  by  comparison  to  its  local 
clock  provides  an  implicit  key  freshness  property,  provided  the  long-term  key  is  not  com- 
promised. 
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Here  A could  control  the  value  of  W,  forcing  it  to  be  x by  choosing  r\  = Dk{x). 
Since  the  technique  itself  does  not  require  decryption,  E may  be  replaced  by  an  appropriate 
keyed  pseudorandom  function  hn,  in  which  case  the  session  key  may  be  computed  as  W = 
hair  a),  with  ta  a time-variant  parameter  as  noted  above. 

In  the  other  techniques  of  §12.3.1  (i)  employing  an  encryption  function  E,  the  confi- 
dentiality itself  of  the  encrypted  fields  other  than  the  session  key  W is  not  critical.  A key 
derivation  protocol  which  entirely  avoids  the  use  of  an  encryption  function  may  offer  po- 
tential advantages  with  respect  to  export  restrictions.  Protocol  12.20  is  such  a technique, 
which  also  provides  authentication  guarantees  as  stated.  It  uses  two  distinct  functions  h 
and  h'  (generating  outputs  of  different  bitlengths),  respectively,  for  message  authentication 
and  key  derivation. 


12.20  Protocol  Authenticated  Key  Exchange  Protocol  2 (AKEP2) 

SUMMARY:  A and  B exchange  3 messages  to  derive  a session  key  W . 

RESULT:  mutual  entity  authentication,  and  implicit  key  authentication  of  W. 

1.  Setup : A and  B share  long-term  symmetric  keys  K,  K ' (these  should  differ  but  need 
not  be  independent),  h k is  a MAC  (keyed  hash  function)  used  for  entity  authenti- 
cation. h'K,  is  a pseudorandom  permutation  or  keyed  one-way  function  used  for  key 
derivation. 

2.  Protocol  messages.  Define  T = (B,  A,  ca,  rB). 

rA  (1) 

T,  hK(T)  (2) 

(A ,rB),  hK{A,rB)  (3) 

W = h'K,{rB) 

3.  Protocol  actions.  Perform  the  following  steps  for  each  shared  key  required. 

(a)  A selects  and  sends  to  B a random  number  r a . 

(b)  B selects  a random  number  rB  and  sends  to  A the  values  ( B , A.  ta-,  rB),  along 
with  a MAC  over  these  quantities  generated  using  h with  key  K. 

(c)  Upon  receiving  message  (2),  A checks  the  identities  are  proper,  that  the  r \ re- 
ceived matches  that  in  (1),  and  verifies  the  MAC. 

(d)  A then  sends  to  B the  values  ( A , rB),  along  with  a MAC  thereon. 

(e)  Upon  receiving  (3),  B verifies  that  the  MAC  is  correct,  and  that  the  received 
value  rB  matches  that  sent  earlier. 

(f)  Both  A and  B compute  the  session  key  as  W = h'K,{rB). 


A B 
A-t  B 


1 2.21  Note  (AKEP1  variant  of  Protocol  12.20)  The  following  modification  of  AKEP2  results  in 
AKEP1  (Authenticated  Key  Exchange  Protocol  1).  B explicitly  generates  a random  ses- 
sion key  W and  probabilistically  encrypts  it  using  h'  under  K'  and  random  number  r.  The 
quantity  (r,  W®h'K,  (r))  is  now  included  as  a final  extra  field  within  T and  hK(T)  in  (2), 
and  from  which  A may  recover  W.  As  an  optimization,  r = rB. 

(iii)  Key  transport  without  a priori  shared  keys 

Shamir’s  no-key  algorithm  (Protocol  12.22)  is  a key  transport  protocol  which,  using  only 
symmetric  techniques  (although  involving  modular  exponentiation),  allows  key  establish- 
ment over  an  open  channel  without  requiring  either  shared  or  public  keys.  Each  party  has 
only  its  own  local  symmetric  key.  The  protocol  provides  protection  from  passive  adver- 
saries only;  it  does  not  provide  authentication.  It  thus  solves  the  same  problem  as  basic 
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Diffie-Hellman  (Protocol  12.47)  - two  parties  sharing  no  a priori  keying  material  end  up 
with  a shared  secret  key,  secure  against  passive  adversaries  - although  differences  include 
that  it  uses  three  messages  rather  than  two,  and  provides  key  transport. 


12.22  Protocol  Shamir's  no-key  protocol 

SUMMARY:  users  A and  B exchange  3 messages  over  a public  channel. 

RESULT:  secret  K is  transferred  with  privacy  (but  no  authentication)  from  A to  B. 

1.  One-time  setup  (definition  and  publication  of  system  parameters). 

(a)  Select  and  publish  for  common  use  a prime  p chosen  such  that  computation  of 
discrete  logarithms  modulo  p is  infeasible  (see  Chapter  3). 

(b)  A and  B choose  respective  secret  random  numbers  a,  b , with  1 < a.  b < p 2, 
each  coprime  to  p — 1.  They  respectively  compute  a-1  and  b mod  p 1. 

2.  Protocol  messages. 

A — ■>  B : Ka  mod  p (1) 

A <—  B : ( Ka)b  mod  p (2) 

A -5-  B : (Kab)^1  modp  (3) 

3.  Protocol  actions.  Perform  the  following  steps  for  each  shared  key  required. 

(a)  A chooses  a random  key  K for  transport  to  B,  1 < K < p — 1.  A computes 
Ka  mod  p and  sends  B message  (1). 

(b)  B exponentiates  (mod  p)  the  received  value  by  b , and  sends  A message  (2). 

(c)  A exponentiates  (mod  p)  the  received  value  by  a 1 mod  p — 1,  effectively  “un- 
doing” its  previous  exponentiation  and  yielding  Kb  mod  p.  A sends  the  result 
to  B as  message  (3). 

(d)  B exponentiates  (mod  p)  the  received  value  by  b 1 modp  — 1,  yielding  the 
newly  shared  key  K mod  p. 


Use  of  ElGamal  encryption  for  key  transport  (as  per  §12.5.1)  with  an  uncertified  public 
key  sent  in  a first  message  (which  would  by  definition  be  safe  from  passive  attack)  achieves 
in  two  passes  the  same  goals  as  the  above  three-pass  algorithm.  In  this  case,  the  key  is 
transported  from  the  recipient  of  the  first  message  to  the  originator. 

12.23  Remark  ( choice  of  cipher  in  Protocol  12.22  ) While  it  might  appear  that  any  commuta- 
tive cipher  (i.e.,  cipher  wherein  the  order  of  encryption  and  decryption  is  interchangeable) 
would  suffice  in  place  of  modular  exponentiation  in  Protocol  12.22,  caution  is  advised.  For 
example,  use  of  the  Vernam  cipher  (§1.5.4)  would  be  totally  insecure  here,  as  the  XOR  of 
the  three  exchanged  messages  would  equal  the  key  itself. 


12.3.2  Kerberos  and  related  server-based  protocols 

The  key  transport  protocols  discussed  in  this  section  are  based  on  symmetric  encryption, 
and  involve  two  communicating  parties,  A and  B,  and  a trusted  server  with  which  they 
share  long-term  pairwise  secret  keys  a priori.  In  such  protocols,  the  server  either  plays  the 
role  of  a key  distribution  center  (KDC)  and  itself  supplies  the  session  key,  or  serves  as  a 
key  translation  center  ( KTC),  and  makes  a key  chosen  by  one  party  available  to  the  other, 
by  re-encrypting  (translating)  it  under  a key  shared  with  the  latter.  KDCs  and  KTCs  are 
discussed  further  in  §13.2.3. 
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(i)  Kerberos  authentication  protocol 

Kerberos  is  the  name  given  to  all  of  the  following:  the  distributed  authentication  service 
originating  from  MIT’s  Project  Athena,  which  includes  specifications  for  data  integrity  and 
encryption;  the  software  which  implements  it,  and  the  processes  executing  such  software; 
and  the  specific  authentication  protocol  used  therein.  Focus  here,  and  use  of  the  term  “Ker- 
beros”, is  restricted  to  the  protocol  itself,  which  supports  both  entity  authentication  and  key 
establishment  using  symmetric  techniques  and  a third  party. 

The  basic  Kerberos  protocol  involves  A (the  client ),  B (the  server  and  verifier ),  and  a 
trusted  server  T (the  Kerberos  authentication  server).  At  the  outset  A and  B share  no  secret, 
while  T shares  a secret  with  each  (e.g.,  a user  password,  transformed  into  a cryptographic 
key  by  an  appropriate  function).  The  primary  objective  is  for  B to  verify  A’s  identity;  the 
establishment  of  a shared  key  is  a side  effect.  Options  include  a final  message  providing 
mutual  entity  authentication  and  establishment  of  an  additional  secret  shared  by  A and  B 
(a  subsession  key  not  chosen  by  T). 

The  protocol  proceeds  as  follows.  A requests  from  T appropriate  credentials  (data 
items)  to  allow  it  to  authenticate  itself  to  B.  T plays  the  role  of  a KDC,  returning  to  A 
a session  key  encrypted  for  A and  a ticket  encrypted  for  B.  The  ticket,  which  A forwards 
on  to  B.  contains  the  session  key  and  A's  identity;  this  allows  authentication  of  A to  B 
when  accompanied  by  an  appropriate  message  (the  authenticator)  created  by  A containing 
a timestamp  recently  encrypted  under  that  session  key. 


12.24  Protocol  Basic  Kerberos  authentication  protocol  (simplified)1 
SUMMARY:  A interacts  with  trusted  server  T and  party  B. 

RESULT:  entity  authentication  of  A to  B (optionally  mutual),  with  key  establishment. 

1.  Notation.  Optional  items  are  denoted  by  an  asterisk  (*). 

E is  a symmetric  encryption  algorithm  (see  Remark  12.19). 

Na  is  a nonce  chosen  by  A;  Ta  is  a timestamp  from  A's  local  clock. 
k is  the  session-key  chosen  by  T,  to  be  shared  by  A and  B. 

L indicates  a validity  period  (called  the  “lifetime”). 

2.  One-time  setup.  A and  T share  a key  Kat\  similarly,  B and  T share  Kbt-  Define 
tickets  d=  EKbt  (fc,  A,  L) ; authenticator  =f  Ek  (A,  TA , A*ubkey) • 

3.  Protocol  messages. 

A,  B,  Na  (1) 

tickets,  EKAT(k,NA,L,B)  (2) 
tickets,  authenticator  (3) 

Ek(TA,  B*uhkey)  (4) 

4.  Protocol  actions.  Algorithm  E includes  a built-in  integrity  mechanism,  and  protocol 
failure  results  if  any  decryption  yields  an  integrity  check  failure. 

(a)  A generates  a nonce  N a and  sends  to  T message  (1). 

(b)  T generates  a new  session  key  k,  and  defines  a validity  period  (lifetime  L)  for 
the  ticket,  consisting  of  an  ending  time  and  optional  starting  time.  T encrypts  k , 
the  received  nonce,  lifetime,  and  received  identifier  ( B)  using  A's  key.  T also 
creates  a ticket  secured  using  B's  key  containing  k.  received  identifier  ( A),  and 
lifetime.  T sends  to  A message  (2). 

■’■The  basic  Kerberos  (version  5)  protocol  between  client  and  authentication  server  is  given,  with  messages 
simplified  (some  non-cryptographic  fields  omitted)  to  allow  focus  on  cryptographic  aspects. 


A <-  T 
A B 
A B 
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(c)  A decrypts  the  non-ticket  part  of  message  (2)  using  Kat  to  recover:  k,  Na, 
lifetime  L,  and  the  identifier  of  the  party  for  which  the  ticket  was  actually  cre- 
ated. A verifies  that  this  identifier  and  Na  match  those  sent  in  message  (1), 
and  saves  L for  reference.  A takes  its  own  identifier  and  fresh  timestamp  Ta, 
optionally  generates  a secret  ^4Subkey>  and  encrypts  these  using  k to  form  the 
authenticator.  A sends  to  B message  (3). 

(d)  B receives  message  (3),  decrypts  the  ticket  using  Kbt  yielding  k to  allow  de- 
cryption of  the  authenticator.  B checks  that: 

i.  the  identifier  fields  (A)  in  the  ticket  and  authenticator  match; 

ii.  the  timestamp  Ta  in  the  authenticator  is  valid  (see  §10.3.1);  and 

iii.  f?’s  local  time  is  within  the  lifetime  L specified  in  the  ticket. 

If  all  checks  pass,  B declares  authentication  of  A successful,  and  saves  Hsubkey 
(if  present)  as  required. 

(e)  (Optionally  for  mutual  entity  authentication:)  B constructs  and  sends  to  A mes- 
sage (4)  containing  ,4's  timestamp  from  the  authenticator  (specifically  exclud- 
ing the  identifier  A , to  distinguish  it  from  the  authenticator),  encrypted  using  k. 
B optionally  includes  a subkey  to  allow  negotiation  of  a subsession  key. 

(f)  (Optionally  for  mutual  entity  authentication:)  A decrypts  message  (4).  If  the 
timestamp  within  matches  that  sent  in  message  (3),  A declares  authentication 
of  B successful  and  saves  Bsu bkey  (if  present)  as  required. 


12.25  Note  (security  and  options  in  Kerberos  protocol) 

(i)  Since  timestamps  are  used,  the  hosts  on  which  this  protocol  runs  must  provide  both 
secure  and  synchronized  clocks  (see  §10.3.1). 

(ii)  If,  as  is  the  case  in  actual  implementations,  the  initial  shared  keys  are  password-deriv- 
ed, then  the  protocol  is  no  more  secure  than  the  secrecy  of  such  passwords  or  their 
resistance  to  password-guessing  attacks. 

(iii)  Optional  parameters  ^4Subkey  and  Usubkey  allow  transfer  of  a key  (other  than  k)  from 
,4  to  B or  vice-versa,  or  the  computation  of  a combined  key  using  some  function 

/(^subkey!  f^subkey)- 

(iv)  The  lifetime  within  the  ticket  is  intended  to  allow  A to  re-use  the  ticket  over  a limited 
time  period  for  multiple  authentications  to  B without  additional  interaction  with  T, 
thus  eliminating  messages  (1)  and  (2).  For  each  such  re-use,  A creates  a new  authen- 
ticator with  a fresh  timestamp  and  the  same  session  key  k\  the  optional  subkey  field 
is  of  greater  use  in  this  case. 

(ii)  Needham-Schroeder  shared-key  protocol 

The  Needham-Schroeder  shared-key  protocol  is  important  primarily  for  historical  reasons. 
It  is  the  basis  for  many  of  the  server-based  authentication  and  key  distribution  protocols  pro- 
posed since  1978,  including  Kerberos  and  Otway-Rees.  It  is  an  example  of  a protocol  inde- 
pendent of  timestamps,  providing  both  entity  authentication  assurances  and  key  establish- 
ment with  key  confirmation.  However,  it  is  no  longer  recommended  (see  Remark  12.28). 
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12.26  Protocol  Needham-Schroeder  shared-key  protocol 

SUMMARY:  A interacts  with  trusted  server  T and  party  B. 

RESULT:  entity  authentication  ( A with  5);  key  establishment  with  key  confirmation. 

1.  Notation.  E is  a symmetric  encryption  algorithm  (see  Remark  12.19). 

Nj 4 and  N1}  are  nonces  chosen  by  A and  13.  respectively. 

A;  is  a session  key  chosen  by  the  trusted  server  T for  A and  B to  share. 

2.  One-time  setup.  A and  T share  a symmetric  key  KAt\  B and  T share  K ST- 
'S. Protocol  messages. 


A ->  T : 

A,B,Na 

(1) 

A^T: 

Ekat{NAi  B,  k,  EKbt  (. k , A)) 

(2) 

A^  B : 

EKBT{k,  A) 

(3) 

A^  B : 

Ek{NB ) 

(4) 

A^  B : 

Ek(NB  - 1) 

(5) 

4.  Protocol  actions.  Aside  from  verification  of  nonces,  actions  are  essentially  analogous 
to  those  in  Kerberos  (Protocol  12.24),  and  are  not  detailed  here. 


1 2.27  Note  (functionality  and  options  in  Needham-Schroeder  shared-key  protocol) 

(i)  The  protocol  provides  A and  B with  a shared  key  k with  key  authentication  (due  to 
the  trusted  server). 

(ii)  Messages  (4)  and  (5)  provide  entity  authentication  of  A to  B\  entity  authentication 
of  B to  A can  be  obtained  provided  A can  carry  out  some  redundancy  check  on  NB 
upon  decrypting  message  (4). 

(iii)  If  it  is  acceptable  for  A to  re-use  a key  k with  B.  A may  securely  cache  the  data  sent  in 
message  (3)  along  with  k.  Upon  subsequent  re-use,  messages  (1)  and  (2)  may  then  be 
omitted,  but  now  to  prevent  replay  of  old  messages  (4),  an  encrypted  nonce  £*  (Na') 
should  be  appended  to  message  (3),  and  message  (4)  should  be  replaced  by  Ek  (A lA ' — 
I.Nb)  allowing  A to  verify  B's  current  knowledge  of  k (thereby  providing  entity 
authentication). 

1 2.28  Remark  (Needham-Schroeder  weakness  vs.  Kerberos ) The  essential  differences  between 
Protocol  12.26  and  Kerberos  (Protocol  12.24)  are  as  follows:  the  Kerberos  lifetime  param- 
eter is  not  present;  the  data  of  message  (3),  which  corresponds  to  the  Kerberos  ticket,  is  un- 
necessarily double-encrypted  in  message  (2)  here;  and  authentication  here  employs  nonces 
rather  than  timestamps.  A weakness  of  the  Needham-Schroeder  protocol  is  that  since  B 
has  no  way  of  knowing  if  the  key  k is  fresh,  should  a session  key  k ever  be  compromised, 
any  party  knowing  it  may  both  resend  message  (3)  and  compute  a correct  message  (5)  to 
impersonate  A to  B.  This  situation  is  ameliorated  in  Kerberos  by  the  lifetime  parameter 
which  limits  exposure  to  a fixed  time  interval. 

(iii)  Otway-Rees  protocol 

The  Otway-Rees  protocol  is  a server-based  protocol  providing  authenticated  key  transport 
(with  key  authentication  and  key  freshness  assurances)  in  only  4 messages  - the  same  as 
Kerberos,  but  here  without  the  requirement  of  timestamps.  It  does  not,  however,  provide 
entity  authentication  or  key  confirmation. 
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12.29  Protocol  Otway-Rees  protocol 

SUMMARY:  B interacts  with  trusted  server  T and  party  A. 

RESULT:  establishment  of  fresh  shared  secret  K between  A and  B. 

1.  Notation.  E is  a symmetric  encryption  algorithm  (see  Remark  12.19).  A;  is  a session 
key  T generates  for  A and  B to  share.  Na  and  Nb  are  nonces  chosen  by  A and  B, 
respectively,  to  allow  verification  of  key  freshness  (thereby  detecting  replay).  M is 
a second  nonce  chosen  by  A which  serves  as  a transaction  identifier. 

2.  One-time  setup.  T shares  symmetric  keys  Kat  and  Kbt  with  A.  B.  respectively. 


Protocol  messages. 

A^  B : 

M,  A,  B,  EKat  (Na,  M,  A,  B) 

(1) 

B -AT  : 

M , A,  B,  Ekat(Na,  M,  A,  B ),  EKbt(Nb,  M,  A,  B) 

(2) 

B : 

Ekat  (Na  ,k),  EKbt  (Nb  , k) 

(3) 

A^  B : 

Ekat(Na,  k) 

(4) 

4.  Protocol  actions.  Perform  the  following  steps  each  time  a shared  key  is  required. 

(a)  A encrypts  data  for  the  server  containing  two  nonces,  Na  and  M,  and  the  iden- 
tities of  itself  and  the  party  B to  whom  it  wishes  the  server  to  distribute  a key. 
A sends  this  and  some  plaintext  to  B in  message  (1). 

(b)  B creates  its  own  nonce  Nb  and  an  analogous  encrypted  message  (with  the 
same  M),  and  sends  this  along  with  A’s  message  to  T in  message  (2). 

(c)  T uses  the  cleartext  identifiers  in  message  (2)  to  retrieve  Kat  and  Kbt , then 
verifies  the  cleartext  (M  A.  B ) matches  that  recovered  upon  decrypting  both 
parts  of  message  (2).  (Verifying  M in  particular  confirms  the  encrypted  parts 
are  linked.)  If  so,  T inserts  a new  key  k and  the  respective  nonces  into  distinct 
messages  encrypted  for  A and  B , and  sends  both  to  B in  message  (3). 

(d)  B decrypts  the  second  part  of  message  (3),  checks  Nb  matches  that  sent  in  mes- 
sage (2),  and  if  so  passes  the  first  part  on  to  A in  message  (4). 

(e)  A decrypts  message  (4)  and  checks  Na  matches  that  sent  in  message  (1). 


If  all  checks  pass,  each  of  A and  B are  assured  that  k is  fresh  (due  to  their  respective 
nonces),  and  trust  that  the  other  party  T shared  k with  is  the  party  bound  to  their  nonce  in 
message  (2).  A knows  that  B is  active  as  verification  of  message  (4)  implies  B sent  message 
(2)  recently;  B however  has  no  assurance  that  A is  active  until  subsequent  use  of  k by  A , 
since  B cannot  determine  if  message  (1)  is  fresh. 

1 2.30  Remark  ( nonces  in  Otway-Rees  protocol)  The  use  of  two  nonces  generated  by  A is  redun- 
dant (Na  could  be  eliminated  in  messages  (1)  and  (2),  and  replaced  by  M in  (3)  and  (4)), 
but  nonetheless  allows  M to  serve  solely  as  an  administrative  transaction  identifier,  while 
keeping  the  format  of  the  encrypted  messages  of  each  party  identical.  (The  latter  is  gener- 
ally considered  desirable  from  an  implementation  viewpoint,  but  dubious  from  a security 
viewpoint.) 

12.31  Remark  ( extension  of  Otway-Rees  protocol ) Protocol  12.29  may  be  extended  to  provide 

both  key  confirmation  and  entity  authentication  in  5 messages.  Message  (4)  could  be  aug- 
mented to  both  demonstrate  B' s timely  knowledge  of  k and  transfer  a nonce  to  A (e.g., 
appending  E),(Na,  Nb)),  with  a new  fifth  message  (A  -H>  B : (Nb))  providing  B re- 

ciprocal assurances. 
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12.4  Key  agreement  based  on  symmetric  techniques 

This  section  presents  ideas  related  to  key  agreement  based  on  symmetric  techniques.  It  also 
presents  a key  pre-distribution  system  which  is  in  some  ways  a symmetric-key  analogue  to 
Diffie-Hellman  key  agreement  with  fixed  exponentials  (Note  12.48). 

1 2.32  Definition  A key  distribution  system  ( KDS)  is  a method  whereby,  during  an  initialization 
stage,  a trusted  server  generates  and  distributes  secret  data  values  ( pieces ) to  users,  such 
that  any  pair  of  users  may  subsequently  compute  a shared  key  unknown  to  all  others  (aside 
from  the  server). 

For  fixed  pairwise  keys,  a KDS  is  a key  pre-distribution  scheme.  A trivial  KDS  is  as 
follows:  the  trusted  server  chooses  distinct  keys  for  each  pair  among  the  n users,  and  by 
some  secure  means  initially  distributes  to  each  user  its  n — 1 keys  appropriately  labeled. 
This  provides  unconditional  security  (perfect  security  in  the  information-theoretic  sense); 
an  outside  adversary  can  do  no  better  than  guess  the  key.  However,  due  to  the  large  amount 
of  storage  required,  alternate  methods  are  sought,  at  the  price  of  losing  unconditional  secu- 
rity against  arbitrarily  large  groups  of  colluding  users. 

12.33  Definition  A KDS  is  said  to  be  j-secure  if,  given  a specified  pair  of  users,  any  coalition  of 
j or  fewer  users  ( disjoint  from  the  two),  pooling  their  pieces,  can  do  no  better  at  computing 
the  key  shared  by  the  two  than  a party  which  guesses  the  key  without  any  pieces  whatsoever. 

A j-secure  KDS  is  thus  unconditionally  secure  against  coalitions  of  size  j or  smaller. 

12.34  Fact  ( Blom’s  KDS  bound ) In  any  j-secure  KDS  providing  m-bit  pairwise  session  keys, 
the  secret  data  stored  by  each  user  must  be  at  least  m ■ ( j + 1)  bits. 

The  trivial  KDS  described  above  is  optimal  with  respect  to  the  number  of  secret  key 
bits  stored,  assuming  collusion  by  all  parties  other  than  the  two  directly  involved.  This  cor- 
responds to  meeting  the  lower  bound  of  Fact  12.34  for  j = n — 2. 

Blom’s  symmetric  key  pre-distribution  system 

Blom’s  scheme  (Mechanism  12.35)  is  a KDS  which  can  be  used  to  meet  the  bound  of 
Fact  12.34  for  values  j < n — 2.  It  is  non-interactive;  each  party  requires  only  an  index  i, 
1 < i < n,  which  uniquely  identifies  the  party  with  which  it  is  to  form  a joint  key  (the  sch- 
eme is  identity-based  in  this  regard).  Each  user  is  assigned  a secret  vector  of  initial  keying 
material  ( base  key)  from  which  it  is  then  able  to  compute  a pairwise  secret  ( derived  key) 
with  each  other  user. 

As  outlined  in  Remark  12.37,  the  scheme  may  be  engineered  to  provide  unconditional 
security  against  coalitions  of  a specified  maximum  size.  The  initial  keying  material  as- 
signed to  each  user  (a  row  of  S,  corresponding  to  k keys)  allows  computation  of  a larger 
number  of  derived  keys  (a  row  of  K.  providing  n keys),  one  per  each  other  user.  Storage 
savings  results  from  choosing  k less  than  n.  The  derived  keys  of  different  user  pairs,  how- 
ever, are  not  statistically  independent. 
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12.35  Mechanism  Blom’s  symmetric  key  pre-distribution  system 

SUMMARY:  each  of  n users  is  given  initial  secret  keying  material  and  public  data. 

RESULT:  each  pair  of  users  Uj  may  compute  an  ra-bit  pairwise  secret  key  Kt  j. 

1.  A k x n generator  matrix  G of  an  (n.  k)  MDS  code  over  a finite  field  F(/  of  order  q 
is  made  known  to  all  n system  users  (see  Note  12.36). 

2.  A trusted  party  T creates  a random  secret  k x k symmetric  matrix  D over  Fg. 

3.  T gives  to  each  user  Ui  the  secret  key  S,  , defined  as  row  i of  the  n x k matrix  S = 
(DG)T . (Si  is  a k -tuple  over  Fg  of  k ■ lg(g)  bits,  allowing  U,  to  compute  any  entry 
in  row  i of  ( DG)TG .) 

4.  Users  Ui  and  Uj  compute  the  common  secret  Kj  j = Kjj  of  bitlength  m = lg(q)  as 
follows.  Using  Si  and  column  j of  G , Ui  computes  the  (i,  j)  entry  of  the  nxn  sym- 
metric matrix  K = ( DG)TG . Using  Sj  and  column  i of  G , Uj  similarly  computes 
the  (j,  i)  entry  (which  is  equal  to  the  (i.j)  entry  since  K is  symmetric). 


1 2.36  Note  ( background  on  MDS  codes)  The  motivation  for  Mechanism  12.35  arises  from  well- 
known  concepts  in  linear  error-correcting  codes,  summarized  here.  Let  G = [Ik  A]  be  a 
kxn  matrix  where  each  row  is  an  n-tuple  over  F,(  (for  q a prime  or  prime  power).  is  the 
k x k identity  matrix.  The  set  of  n-tuples  obtained  by  taking  all  linear  combinations  (over 
¥q ) of  rows  of  G is  the  linear  code  C.  Each  of  these  qk  n-tuples  is  a codeword , and  C = 
{c  : c = mG,  m = (mi  m2  . . . m^),  m.j  € Fg}.  G is  a generator  matrix  for  the  linear 
(n,  k ) code  C.  The  distance  between  two  codewords  c,  c!  is  the  number  of  components 
they  differ  in;  the  distance  d of  the  code  is  the  minimum  such  distance  over  all  pairs  of 
distinct  codewords.  A code  of  distance  d can  correct  e = ((d  — 1)/2J  component  errors  in 
a codeword,  and  for  linear  codes  d < n — k + 1 (the  Singleton  bound).  Codes  meeting  this 
bound  with  equality  (d  =t  n — k + 1)  have  the  largest  possible  distance  for  fixed  n and  k, 
and  are  called  maximum  distance  separable  (MDS)  codes. 

1 2.37  Remark  ( choice  ofk  in  Blom ’s  scheme)  The  condition  d — n k :1  defining  MDS  codes 
can  be  shown  equivalent  to  the  condition  that  every  set  of  k columns  of  G is  linearly  inde- 
pendent. From  this,  two  facts  follow  about  codewords  of  MDS  codes:  (i)  any  k components 
uniquely  define  a codeword;  and  (ii)  any  j < k 1 components  provide  no  information 
about  other  components.  For  Mechanism  12.35,  the  choice  of  k is  governed  by  the  fact 
that  if  k or  more  users  conspire,  they  are  able  to  recover  the  secret  keys  of  all  other  users. 
(k  conspirators  may  compute  k rows  of  K,  or  equivalently  k columns,  corresponding  to  k 
components  in  each  row.  Each  row  is  a codeword  in  the  MDS  code  generated  by  G,  and 
corresponds  to  the  key  of  another  user,  and  by  the  above  remark  k components  thus  define 
all  remaining  components  of  that  row.)  However,  if  fewer  than  k users  conspire,  they  obtain 
no  information  whatsoever  about  the  keys  of  any  other  user  (by  similar  reasoning).  Thus 
Blom’s  scheme  is y'-secure  for  j < k — 1,  and  relative  to  Fact  12.34,  is  optimal  with  respect 
to  the  amount  of  initial  keying  material  required. 


12.5  Key  transport  based  on  public-key  encryption 

Key  transport  based  on  public-key  encryption  involves  one  party  choosing  a symmetric  key, 
and  transferring  it  to  a second,  using  that  party’s  encryption  public  key.  This  provides  key 
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authentication  to  the  originator  (only  the  intended  recipient  has  the  private  key  allowing  de- 
cryption), but  the  originator  itself  obtains  neither  entity  authentication  nor  key  confirmation. 
The  second  party  receives  no  source  authentication.  Such  additional  assurances  may  be  ob- 
tained through  use  of  further  techniques  including:  additional  messages  (§12.5.1);  digital 
signatures  (§12.5.2);  and  symmetric  encryption  in  addition  to  signatures  (§12.5.3). 

Authentication  assurances  can  be  provided  with  or  without  the  use  of  digital  signatures, 
as  follows: 

1.  entity  authentication  via  public-key  decryption  (§12.5.1).  The  intended  recipient  au- 
thenticates itself  by  returning  some  time-variant  value  which  it  alone  may  produce  or 
recover.  This  may  allow  authentication  of  both  the  entity  and  a transferred  key. 

2.  data  origin  authentication  via  digital  signatures  (§12.5.2).  Public-key  encryption  is 
combined  with  a digital  signature,  providing  key  transport  with  source  identity  assur- 
ances. 

The  distinction  between  entity  authentication  and  data  origin  authentication  is  that  the  for- 
mer provides  a timeliness  assurance,  whereas  the  latter  need  not.  Table  12.3  summarizes 
the  protocols  presented. 


— » Properties 

signatures 

entity 

number  of 

| Protocol 

required! 

authentication 

messages 

basic  PK  encryption  (1-pass) 

no 

no 

i 

Needham-Schroeder  PK 

no 

mutual 

3 

encrypting  signed  keys 

yes 

data  origin  only! 

1 

separate  signing,  encrypting 

yes 

data  origin  onlyf 

1 

signing  encrypted  keys 

yes 

data  origin  onlyf 

1 

X.509  (2-pass)  - timestamps 

yes 

mutual 

2 

X.509  (3-pass)  - random  #’s 

yes 

mutual 

3 

Beller-Yacobi  (4-pass) 

yes 

mutual 

4 

Beller-Yacobi  (2-pass) 

yes 

unilateral 

2 

Table  12.3:  Selected  key  transport  protocols  based  on  public-key  encryption. 
fUnilateral  entity  authentication  may  be  achieved  if  timestamps  are  included. 
fSchemes  using  public  keys  transported  by  certificates  require  signatures  for  verification  thereof, 
but  signatures  are  not  required  within  protocol  messages. 


12.5.1  Key  transport  using  PK  encryption  without  signatures 

One-pass  key  transport  by  public-key  encryption 

One-pass  protocols  are  appropriate  for  one-way  communications  and  store-and-forward  ap- 
plications such  as  electronic  mail  and  fax.  Basic  key  transport  using  public-key  encryption 
can  be  achieved  in  a one-pass  protocol,  assuming  the  originator  A possesses  a priori  an 
authentic  copy  of  the  encryption  public  key  of  the  intended  recipient  B.  Using  B' s pub- 
lic encryption  key,  A encrypts  a randomly  generated  key  k,  and  sends  the  result  Pb  (k)  to 
B.  Public-key  encryption  schemes  Pb  of  practical  interest  here  include  RSA  encryption, 
Rabin  encryption,  and  ElGamal  encryption  (see  Chapter  8). 

The  originator  A obtains  no  entity  authentication  of  the  intended  recipient  B (and  in- 
deed, does  not  know  if  B even  receives  the  message),  but  is  assured  of  implicit  key  au- 
thentication - no  one  aside  from  B could  possibly  recover  the  key.  On  the  other  hand, 
B has  no  assurances  regarding  the  source  of  the  key,  which  remains  true  even  in  the  case 
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A — > B : PB(k,  A).  A timeliness  guarantee  may  be  provided  using  timestamps,  for  ex- 
ample, A — > B : PB(k,  Ta)-  This  is  necessary  if  security  against  known-key  attacks  is 
required,  as  this  technique  is  otherwise  vulnerable  to  message  replay  (cf.  Remark  12.18). 

Maintaining  the  restriction  of  using  public-key  encryption  alone  (i.e.,  without  signa- 
tures), assurances  in  addition  to  unilateral  key  authentication,  namely,  mutual  entity  au- 
thentication, and  mutual  key  authentication,  may  be  obtained  through  additional  messages 
as  illustrated  by  Protocol  12.38  below. 

Needham-Schroeder  public-key  protocol 

The  Needham-Schroeder  public-key  protocol  provides  mutual  entity  authentication  and 
mutual  key  transport  ( A and  B each  transfer  a symmetric  key  to  the  other).  The  trans- 
ported keys  may  serve  both  as  nonces  for  entity  authentication  and  secret  keys  for  further 
use.  Combination  of  the  resulting  shared  keys  allows  computation  of  a joint  key  to  which 
both  parties  contribute. 


12.38  Protocol  Needham-Schroeder  public-key  protocol 

SUMMARY:  A and  B exchange  3 messages. 

RESULT:  entity  authentication,  key  authentication,  and  key  transport  (all  mutual). 

1.  Notation.  Px{Y)  denotes  public-key  encryption  (e.g.,  RSA)  of  data  Y using  party 
X's  public  key;  Px  (Y\ ■ Y> ) denotes  the  encryption  of  the  concatenation  of  Y\  and 
Y2 . ki,  k2  are  secret  symmetric  session  keys  chosen  by  A , B,  respectively. 

2.  One-time  setup.  Assume  A , B possess  each  other’s  authentic  public-key.  (If  this  is 
not  the  case,  but  each  party  has  a certificate  carrying  its  own  public  key,  then  one 
additional  message  is  required  for  certificate  transport.) 

3.  Protocol  messages. 


A — > I?  : 

PB  {k\ , A) 

(1) 

A^  B : 

PA(ki,  k2) 

(2) 

A^  B : 

PB(k2 ) 

(3) 

4.  Protocol  actions. 

(a)  A sends  B message  (1). 

(b)  B recovers  k\  upon  receiving  message  (1),  and  returns  to  A message  (2). 

(c)  Upon  decrypting  message  (2),  A checks  the  key  k\  recovered  agrees  with  that 
sent  in  message  (1).  (Provided  k\  has  never  been  previously  used,  this  gives  A 
both  entity  authentication  of  B and  assurance  that  B knows  this  key.)  A sends 
B message  (3). 

(d)  Upon  decrypting  message  (3),  B checks  the  key  k2  recovered  agrees  with  that 
sent  in  message  (2).  The  session  key  may  be  computed  as  f(ki,  k2)  using  an 
appropriate  publicly  known  non-reversible  function  /. 


12.39  Note  (modification  of  Needham-Schroeder  protocol)  Protocol  12.38  may  be  modified  to 
eliminate  encryption  in  the  third  message.  Let  rj  and  7-2  be  random  numbers  generated 
respectively  by  A and  B.  Then,  with  checks  analogous  to  those  in  the  basic  protocol,  the 
messages  in  the  modified  protocol  are: 


A 

->  B : 

PB{ki 

rH 

(!') 

A 

■e-  B : 

PA(k2 

ri,rf) 

(2') 

A 

->  B : 

r-i 

(3') 
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12.5.2  Protocols  combining  PK  encryption  and  signatures 

While  privacy  of  keying  material  is  a requirement  in  key  transport  protocols,  source  au- 
thentication is  also  typically  needed.  Encryption  and  signature  primitives  may  respectively 
be  used  to  provide  these  properties.  Key  transport  protocols  involving  both  public-key  en- 
cryption and  signatures  include: 

1.  those  which  sign  the  key,  then  public-key  encrypt  the  signed  key; 

2.  those  which  sign  the  key,  and  separately  public-key  encrypt  the  (unsigned)  key; 

3.  those  which  public-key  encrypt  the  key,  then  sign  the  encrypted  key;  and 

4.  those  using  symmetric  encryption  in  addition  to  public-key  encryption  and  signa- 
tures. 

The  first  three  types  are  discussed  in  this  subsection  (as  noted  in  §12.5.2(ii),  the  second  is 
secure  only  in  certain  circumstances);  the  fourth  is  discussed  in  §12.5.3.  The  signature  sch- 
emes Sa  of  greatest  practical  interest  are  RSA,  Rabin  signatures,  and  ElGamal-family  sig- 
natures (see  Chapter  11).  The  public-key  encryption  schemes  Pb  of  greatest  practical  in- 
terest are  RSA,  Rabin  encryption,  and  ElGamal  encryption  (see  Chapter  8). 

Notation.  For  data  input  y,  in  what  follows,  Sa{v)  and  Pb{v)  denote  the  data  values 
resulting,  respectively,  from  the  signature  operation  on  y using  A’s  signature  private  key, 
and  the  encryption  operation  on  y using  B's  encryption  public  key.  As  a default,  it  is  as- 
sumed that  the  signature  scheme  does  not  provide  message  recovery,  i.e.,  the  input  y cannot 
be  recovered  from  the  signature  Sa(v)~  and  y must  be  sent  explicitly  in  addition  to  Sa{v ) 
to  allow  signature  verification.  (This  is  the  case  for  DSA,  or  RSA  following  input  hashing; 
see  Chapter  1 1 . However,  in  the  case  of  encrypting  and  signing  separately,  any  secret  data 
y must  remain  confidential.)  If  y consists  of  multiple  data  values  y = (y±, . . . , yn),  then 
the  input  is  taken  to  be  the  bitwise  concatenation  of  these  multiple  values. 

(i)  Encrypting  signed  keys 

One  option  for  combining  signatures  and  public -key  encryption  is  to  encrypt  signed  blocks: 

A -y  B : PB(k,  tA*,  SA{B,k,tA*)) 

The  asterisk  denotes  that  the  timestamp  tA  of  A is  optional;  inclusion  facilitates  entity  au- 
thentication of  A to  B and  provides  a freshness  property.  The  identifier  B within  the  scope 
of  the  signature  prevents  B from  sending  the  signed  key  on  to  another  party  and  imper- 
sonating A.  A disadvantage  of  this  method  over  the  “signing  encrypted  keys”  alternative 
(§  12.5.2(iii))  is  that  here  the  data  to  be  public-key  encrypted  is  larger,  implying  the  possible 
requirement  of  adjusting  the  block  size  of  the  public-key  encryption  scheme,  or  the  use  of 
techniques  such  as  cipher-block-chaining.  In  the  case  of  signature  schemes  with  message 
recovery  (e.g.,  ordinary  RSA),  the  above  can  be  simplified  to: 

A-+B:  Pb(Sa(B,  k,tA*)) 

(ii)  Encrypting  and  signing  separately 

For  signature  schemes  without  message  recovery,  a variation  of  the  above  option  is  to  sign 
the  key  and  encrypt  the  key,  but  not  to  encrypt  the  signature  itself.  This  is  acceptable  only 
if  the  signature  scheme  is  such  that  no  information  regarding  plaintext  data  can  be  deduced 
from  the  signature  itself  on  that  data  (e.g.,  when  the  signature  operation  involves  prelimi- 
nary one-way  hashing).  This  is  critical  because,  in  general,  data  may  be  recovered  from  a 
signature  on  it  (e.g.,  RSA  without  hashing).  A summary  of  this  case  is  then  as  follows: 

A^B:  PB{k,  tA*),  SA{B,k,tA*) 
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If  the  key  k is  used  solely  to  encrypt  a data  file  y,  then  the  signature  Sa  may  be  over  y 
instead  of  k.  This  is  suitable  in  store -and- forward  environments.  The  encrypted  file  may 
then  be  transferred  along  with  the  key  establishment  information,  in  which  case  y is  first 
recovered  by  using  k to  decrypt  the  file,  and  then  the  signature  on  y is  verified. 

(iii)  Signing  encrypted  keys 

In  contrast  to  encrypting  signed  keys,  one  may  sign  encrypted  keys: 

A^B:  tAf  PB(A,  k),  SA(B,tA* , PB(A,  k)) 

The  asterisk  denotes  that  the  timestamp  tA  of  A is  optional;  inclusion  facilitates  entity  au- 
thentication of  A to  B.  The  parameter  A within  the  scope  of  the  public-key  encryption 
prevents  signature  stripping  - simply  signing  a publicly-encrypted  key,  e.g.,  SA  ( PB  ( k ))  is 
vulnerable  to  a third  party  C extracting  the  encrypted  quantity  PB  (k)  and  then  oversign- 
ing with  its  own  key,  thus  defeating  authentication  (cf.  Note  12.42).  Furthermore,  the  en- 
cryption mechanism  must  ensure  that  an  adversary  C without  access  to  k,  cannot  change 
Pb(A,  k)  to  PB(C,  k)\  see  Remark  12.19.  It  is  desirable  and  assumed  that  the  combined 
length  of  the  parameters  A and  k not  exceed  the  blocklength  of  the  public-key  encryption 
scheme,  to  limit  computation  to  a single  block  encryption. 

Mutual  entity  authentication  using  timestamps.  The  message  format  given  above  can 
be  used  for  key  establishment  in  a one-pass  protocol,  although  this  provides  no  entity  au- 
thentication of  the  recipient  to  the  originator.  For  mutual  entity  authentication,  two  mes- 
sages of  this  form  may  be  used,  yielding  essentially  X.509  strong  two-way  authentication 
(Protocol  12.40). 

Mutual  entity  authentication  using  challenge-response.  The  2-pass  key  transport  pro- 
tocol discussed  in  the  previous  paragraph  requires  the  use  of  timestamps,  in  which  case  se- 
curity relies  on  the  assumption  of  secure,  synchronized  clocks.  This  requirement  can  be 
eliminated  by  using  a 3-pass  protocol  with  random  numbers  for  challenge-response  (essen- 
tially the  X.509  strong  three-way  authentication  protocol;  cf.  Protocol  12.43): 

A — > B : r A 

A^B:  rB,  PA(B,k  i),  SB(rB,rA,  A,  PA(B,  k i)) 

A—>B:  PB(A,k2),  SA(rA,  rBl  B1  PB(A,  k2)) 

A and  B may  compute  a joint  key  k as  some  function  of  k\  and  k> ; alternately,  one  of 
PA(B,  ki)  and  PB(A,  k2)  may  be  omitted  from  the  second  or  third  message.  The  iden- 
tifiers within  the  scope  of  the  encryption  blocks  remain  necessary  as  above;  the  identifiers 
within  the  scope  of  (only)  the  signature  are,  however,  redundant,  both  here  and  in  the  case 
of  signing  encrypted  keys  above  - it  may  be  assumed  they  must  match  those  corresponding 
to  the  public-key  encryption. 

(iv)  X.509  strong  authentication  protocols 

This  subsection  considers  in  greater  detail  a fully-specified  protocol  involving  public-key 
transport  using  the  general  technique  of  §12.5.2(iii),  namely,  signing  encrypted  keys. 

The  X.509  recommendation  defines  both  “strong  two-way”  and  “strong  three-way”  au- 
thentication protocols,  providing  mutual  entity  authentication  with  optional  key  transport. 
Here  strong  distinguishes  these  from  simpler  password-based  methods,  and  two-  and  three- 
way  refers  to  protocols  with  two  and  three  passes  (message  exchanges),  using  timestamps 
and  challenge-response  based  on  random  numbers,  respectively. 

Both  protocols  were  designed  to  provide  the  assurances  listed  below  to  the  responder 
B (and  reciprocal  assurances  intended  for  the  originator  ,4);  here  token  refers  to  crypto- 
graphically protected  data: 
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1.  the  identity  of  A , and  that  the  token  received  by  B was  constructed  by  A (and  not 
thereafter  altered); 

2.  that  the  token  received  by  B was  specifically  intended  for  B\ 

3.  that  the  token  received  by  B has  “freshness”  ( has  not  been  used  previously,  and  orig- 
inated within  an  acceptably  recent  timeframe); 

4.  the  mutual  secrecy  of  the  transferred  key. 


12.40  Protocol  X.509  strong  two-way  authentication  (two-pass) 

SUMMARY:  A sends  B one  message,  and  B responds  with  one  message. 

RESULT:  mutual  entity  authentication  and  key  transport  with  key  authentication. 

1.  Notation. 

Px  (y  ) denotes  the  result  of  applying  A”s  encryption  public  key  to  data  y. 

Sx(y)  denotes  the  result  of  applying  X’s  signature  private  key  to  y. 
r a->  I'jj  are  never  re-used  numbers  (to  detect  replay  and  impersonation). 
certx  is  a certificate  binding  party  X to  a public  key  suitable  for  both  encryption  and 
signature  verification  (see  Remark  12.41). 

2.  System  setup. 

(a)  Each  party  has  its  public  key  pair  for  signatures  and  encryption. 

(b)  A must  acquire  (and  authenticate)  the  encryption  public  key  of  B a priori.  (This 
may  require  additional  messages  and  computation.) 

3.  Protocol  messages.  (An  asterisk  denotes  items  are  optional.) 

Let  Da  = (tA,  rA,  B,  datai*,  PB(ki)*),  DB  = (tB,  rB,  A,  rA,  data2*,  Pa^)*)- 

A —>  B : cert  a,  DA,  SA(DA)  (1) 

A <—  B : certB,  Db,  Sb(Db)  (2) 

4.  Protocol  actions. 

(a)  A obtains  a timestamp  tA  indicating  an  expiry  time,  generates  rA,  optionally 
obtains  a symmetric  key  ki  and  sends  to  B message  (1).  (datai  is  optional  data 
for  which  data  origin  authentication  is  desired.) 

(b)  B verifies  the  authenticity  of  cert  a (checking  the  signature  thereon,  expiry  date, 
etc.),  extracts  A’s  signature  public  key,  and  verifies  A's  signature  on  the  data 
block  D/ i.  B then  checks  that  the  identifier  in  message  (1)  specifies  itself  as 
intended  recipient,  that  the  timestamp  is  valid,  and  checks  that  rA  has  not  been 
replayed.  (rA  includes  a sequential  component  which  B checks,  against  locally 
maintained  state  information,  for  uniqueness  within  the  validity  period  defined 
by  tA.) 

(c)  If  all  checks  succeed,  B declares  the  authentication  of  A successful,  decrypts 
fci  using  its  private  decryption  key,  and  saves  this  now-shared  key.  (This  termi- 
nates the  protocol  if  only  unilateral  authentication  is  desired.)  B then  obtains 
timestamp  tB,  generates  rB , and  sends  A message  (2).  (data2  is  optional  data, 
and  &2  is  an  optional  symmetric  key  provided  for  A.) 

(d)  A carries  out  actions  analogous  to  those  carried  out  by  B.  If  all  checks  succeed, 
A declares  the  authentication  of  B successful,  and  saves  key  &2  for  subsequent 
use.  A and  B share  mutual  secrets  k\  and  k^- 


1 2.41  Remark  ( separate  keys  in  X.509)  The  X.509  standard  assumes  a public-key  scheme  such 
as  RS  A,  whereby  the  same  key  pair  may  be  used  for  both  encryption  and  signature  function- 
ality. The  protocol,  however,  is  easily  adapted  for  separate  signature  and  encryption  keys, 
and,  indeed,  it  is  prudent  to  use  separate  keys.  See  also  Remark  13.32. 
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12.42  Note  ( criticism  ofX.509  protocol ) Since  Protocol  12.40  does  not  specify  inclusion  of  an 
identifier  (e.g..  A)  within  the  scope  of  the  encryption  PB  within  Da,  one  cannot  guarantee 
that  the  signing  party  actually  knows  (or  was  the  source  of)  the  plaintext  key. 


12.43  Protocol  X.509  strong  three-way  authentication  (three-pass) 

SUMMARY:  A and  B exchange  3 messages. 

RESULT:  as  in  Protocol  12.40,  without  requiring  timestamps. 

The  protocol  differs  from  Protocol  12.40  as  follows: 

1.  Timestamps  and  tB  may  be  set  to  zero,  and  need  not  be  checked. 

2.  Upon  receiving  (2),  A checks  the  received  ta  matches  that  in  message  (1). 

3.  A third  message  is  sent  from  Ato  B: 

A—>B:  (rB,B),  SA(rB,B)  (3) 

4.  Upon  receiving  (3),  B verifies  the  signature  matches  the  received  plaintext,  that  plain- 
text identifier  B is  correct,  and  that  plaintext  rB  received  matches  that  in  (2). 


12.5.3  Hybrid  key  transport  protocols  using  PK  encryption 

In  contrast  to  the  preceding  key  transport  protocols,  the  Beller-Yacobi  protocol  uses  sym- 
metric encryption  in  addition  to  both  PK  encryption  and  digital  signatures.  Such  protocols 
using  both  asymmetric  and  symmetric  techniques  are  called  hybrid  protocols. 

Beller-Yacobi  protocol  (4-pass) 

The  key  transport  protocol  of  Beller  and  Yacobi,  which  provides  mutual  entity  authentica- 
tion and  explicit  key  authentication,  was  designed  specifically  for  applications  where  there 
is  an  imbalance  in  processing  power  between  two  parties;  the  goal  is  to  minimize  the  com- 
putational requirements  of  the  weaker  party.  (Candidate  applications  include  transactions 
involving  chipcards,  and  wireless  communications  involving  a low-power  telephone  hand- 
set.) Another  feature  of  the  protocol  is  that  the  identity  of  one  of  the  parties  (the  weaker, 
here  A)  remains  concealed  from  eavesdroppers. 

Essentially,  A authenticates  itself  to  B by  signing  a random  challenge  to,  while  B au- 
thenticates itself  to  A by  demonstrating  knowledge  of  a key  K only  B itself  could  recover. 
For  simplicity  of  exposition,  the  protocol  is  described  using  RSA  with  public  exponent  3, 
although  Rabin's  scheme  is  more  efficient  and  recommended  in  practice  (but  see  Note  8.13 
regarding  chosen-ciphertext  attack). 
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12.44  Protocol  Beller-Yacobi  key  transport  (4-pass) 

SUMMARY:  A transfers  key  K to  B in  a 4-pass  protocol. 

RESULT:  mutual  entity  authentication  and  mutual  explicit  key  authentication. 

1.  Notation. 

Ek  ( y ) denotes  symmetric  encryption  of  y using  key  K and  algorithm  E. 

Px(y)  denotes  the  result  of  applying  X’s  public-key  function  to  y. 

Sx  (y)  denotes  the  result  of  applying  X's  private-key  function  to  y. 

Ix  denotes  an  identifying  string  for  party  X. 

h(y)  denotes  the  hash  of  y,  used  in  association  with  the  signature  scheme. 

If  y = (j/i, . . . , yn),  the  input  is  the  concatenation  of  these  multiple  values. 

2.  System  setup. 

(a)  Selection  of  system  parameters.  An  appropriate  prime  ns  and  generator  a for 
the  multiplicative  group  of  integers  modulo  ns  are  fixed  as  ElGamal  system 
parameters.  A trusted  server  T chooses  appropriate  primes  p and  q yielding 
public  modulus  nx  = pq  for  RSA  signatures,  then  for  public  exponent  ex  = 3 
computes  a private  key  dx  satisfying:  exdx  = 1 mod  ( p — l)(q  — 1). 

(b)  Distribution  of  system  parameters.  Each  party  (A  and  B ) is  given  an  authentic 
copy  of  T’s  public  key  and  the  system  parameters:  nx,  (ns,  a).  T assigns  to 
each  party  X a unique  distinguished  name  or  identifying  string  I\  (e.g.,  X’s 
name  and  address). 

(c)  Initialization  of  terminal.  Each  party  playing  the  role  of  A ( terminal ) selects 
a random  integer  a,  1 < a < ns  — 2,  and  computes  its  ElGamal  signature 
public  key  ua  = a“  mod  ny.  A keeps  its  corresponding  private  key  a secret, 
and  transfers  an  authentic  copy  of  ua  to  T.  identifying  itself  to  T by  out-of- 
band  means  (e.g.,  in  person).  T constructs  and  returns  to  A the  public-key  cer- 
tificate: cert.A  = (Ia,  ua,  Ga )•  (The  certificate  contains  A’s  identity  and 
ElGamal  signature  public  key,  plus  T’s  RSA  signature  G \ over  these:  G \ = 
Sx(Ia,  ua)  = (h(lA,  uA))dT  mod  nT.) 

(d)  Initialization  of  server.  Each  party  playing  the  role  of  B ( server ) creates  an 
encryption  private  key  and  corresponding  public  key  based  on  RSA  with  pub- 
lic exponent  = 3.  B chooses  a public-key  modulus  ns  as  the  product 
of  two  appropriate  secret  primes,  and  itself  computes  the  corresponding  RSA 
private  key  d u . B transfers  ns  to  T,  identifying  itself  to  T by  out-of-band 
means.  T then  constructs  and  returns  to  B the  public-key  certificate:  certs  = 
( Ib , nu,  Gb)-  (The  certificate  contains  B's  identity  and  RSA  encryption 
public  key  ns,  plus  T’s  RSA  signature  over  these:  Gb  = Sx(Ib,  ub)  = 
(h(Is,  nB))dT  mod  nx-) 

3.  Protocol  messages. 


A -s- 

- B : 

certs  = (Ib,  tib,  Gb) 

(1) 

A^r  B : 

Pb(K)  = K3  mod  nB 

(2) 

A -s- 

- B : 

EK(m,  {0}*) 

(3) 

A-t  B : 

Ek((v,w),  cert  a) 

(4) 

4.  Protocol  actions.  The  following  steps  are  performed  each  time  a shared  key  is  re- 
quired. The  protocol  is  aborted  (with  result  of  failure)  if  any  check  fails. 

(a)  Precomputation  by  terminal.  A selects  a random  x,  1 < x < ny  2,  and 
computes  three  values:  v = ax  mod  ny;  x mod  (ny  — 1);  and  av  mod 
(ns  — 1).  (For  the  security  of  ElGamal  signatures,  x must  be  new  for  each 
signature,  and  be  co-prime  to  ns  — 1 to  ensure  x 1 exists.) 
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(b)  B sends  to  A message  (1). 

(c)  A checks  the  authenticity  of  ns  by  confirming:  h{Is,  ng)  = Gb3  mod  nx- 
A chooses  a random  key  1 < K < tib  — 1 and  sends  B message  (2),  where 
Y = Pb{K). 

(d ) B recovers  K = Sb(Y)  = YdB  mod  tib-  (The  final  two  messages  will  be 
encrypted  using  K.)  B chooses  a random  integer  to  as  a challenge,  extends  it 
with  t,  (say  t.  « 50)  least  significant  zeros,  symmetrically  encrypts  this  using 
key  K , and  sends  A message  (3). 

(e)  A decrypts  the  received  message,  and  checks  it  has  t trailing  zeros;  if  so,  A ac- 
cepts that  it  originated  from  B and  that  B knows  key  K.  A takes  the  decrypted 
challenge  to,  concatenates  it  to  the  identity  Is  of  the  party  whose  public  key 
it  used  to  share  Ii  in  message  (2),  forming  the  concatenated  quantity  M = 
(to,  Ib ),  then  computes  w satisfying:  w = (M  — av)  ■ x_1  mod  (ns  — 1), 
and  sends  B message  (4).  (Here  ( v,w ) is  A's  ElGamal  signature  on  M,  and 
cert  a = (I a,  ua,  Ga)-  The  identity  Ib  in  M is  essential  to  preclude  an 
intruder- in- the-middle  attack  - see  §12.9.) 

(f)  B decrypts  the  received  message,  and  verifies  the  authenticity  of  ua  by  check- 
ing that:  Ii(Ia,  ua)  = Ga3  mod  nx-  Finally,  B constructs  the  concatenated 
quantity  M = (to,  Ib)  from  the  challenge  to  remembered  from  message  (3) 
and  its  own  identity,  then  verifies  A’s  signature  on  the  challenge  by  checking 
that:  aM  = uav  ■ vw  mod  ns-  If  all  checks  succeed,  B accepts  the  party  A 
associated  with  identity  I a as  the  source  of  key  K. 


12.45  Note  (on  Beller-Yacobi  key  transport  protocol ) 

(i)  To  achieve  mutual  authentication  here  requires  that  each  party  carry  out  at  least  one 
private-key  operation  ( showing  knowledge  of  its  private  key),  and  one  or  two  public- 
key  operations  (related  to  verifying  the  other’s  identity,  and  its  public  key  if  not 
known  a priori). 

(ii)  The  novelty  here  is  careful  selection  of  two  separate  public-key  schemes,  each  re- 
quiring only  an  inexpensive  computation  by  the  computationally  limited  party,  in 
this  case  A.  Choosing  RSA  with  exponent  3 or  Rabin  with  exponent  2 results  in 
an  inexpensive  public-key  operation  (2  or  1 modular  multiplications,  respectively), 
for  encryption  and  signature  verification.  Choosing  ElGamal-family  signatures,  the 
private-key  operation  is  inexpensive  (a  single  modular  multiplication,  assuming  pre- 
computation). 

(iii)  DSA  signatures  (Chapter  1 1)  or  others  with  similar  properties  could  be  used  in  place 
of  ElGamal  signatures. 

12.46  Remark  (signature  scheme  used  to  certify  public  keys ) Protocol  12.44  requires  an  ElGa- 
mal public  key  be  certified  using  an  RSA  signature.  This  is  done  for  reasons  of  efficiency, 
and  highlights  an  advantage  of  allowing  signature  public  keys  from  one  system  to  be  certi- 
fied using  signatures  of  a different  type. 

Beller-Yacobi  protocol  (2-pass) 

Protocol  12.44  can  be  modified  to  yield  a 2-pass  protocol  as  illustrated  in  Figure  12.2.  The 
modified  protocol  is  obtained  by  essentially  combining  the  pair  of  messages  each  party 
sends  into  a single  message,  as  now  described  using  notation  as  in  Protocol  12.44. 

B generates  a random  challenge  to  and  sends  to  A:  to,  cert b ■ A computes  its  ElGamal 
signature  (u,  w)  on  the  concatenation  M = (to,  Ib  ),  and  using  part  v of  the  signature  as  the 
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session  key  K = v,2  sends  to  B:  Pb(v),  Ev (cert a,  w).  B recovers  v (=  K ) via  public- 
key  decryption,  uses  it  to  recover  cert  a and  w , then  verifies  cert  a and  A’s  signature  (v . w) 
on  M = (to,  Ib). 

The  2-pass  protocol  has  slightly  weaker  authentication  assurances:  B obtains  entity  au- 
thentication of  A and  obtains  a key  K that  A alone  knows,  while  A has  key  authentication 
with  respect  to  B.  For  A to  obtain  explicit  key  authentication  of  B (implying  entity  authen- 
tication also),  a third  message  may  be  added  whereby  B exhibits  knowledge  through  use  of 
K on  a challenge  or  standard  message  (e.g.,  {0}4).  All  three  of  A’s  asymmetric  operations 
remain  inexpensive. 


terminal  A 

precompute  x,v  = ax  mod  ns 
verify  certs  via  Pt  (Gb  ) 
compute  (v,w)  = SA{m,lB) 
send  Pb(v),  Ev(certA,w) 

cert  a = {I a,  ua , Ga ) 


server  B 

select  random  challenge  to 
send  to,  cert-B 
certs  = {Ib,  ub,  Gb) 
recover  v,  set  K = v 
verify  cert  a,  signature  (v,w) 


Figure  12.2:  Summary  of  Beller-Yacobi protocol  (2-pass). 


In  Figure  12.2,  an  alternative  to  using  K — v as  the  session  key  is  to  set  K = w.  This 
results  in  the  property  that  both  parties  influence  the  value  of  K (as  w i s a function  of  both 

to  and  x). 


12.6  Key  agreement  based  on  asymmetric 
techniques 

Diffie-Hellman  key  agreement  (also  called  exponential  key  exchange ) is  a fundamental 
technique  providing  unauthenticated  key  agreement.  This  section  discusses  key  establish- 
ment protocols  based  on  exponential  key  agreement,  as  well  as  the  concept  of  implicitly- 
certified  public  keys  and  their  use  in  Diffie-Hellman  protocols. 


12.6.1  Diffie-Hellman  and  related  key  agreement  protocols 

This  section  considers  the  basic  Diffie-Hellman  protocol  and  related  protocols  providing 
various  authentication  assurances  (see  Table  12.4). 

(i)  Diffie-Hellman  key  agreement 

Diffie-Hellman  key  agreement  provided  the  first  practical  solution  to  the  key  distribution 
problem,  allowing  two  parties,  never  having  met  in  advance  or  shared  keying  material,  to 
establish  a shared  secret  by  exchanging  messages  over  an  open  channel.  The  security  rests 
on  the  intractability  of  the  Diffie-Hellman  problem  and  the  related  problem  of  computing 
discrete  logarithms  (§3.6).  The  basic  version  (Protocol  12.47)  provides  protection  in  the 
form  of  secrecy  of  the  resulting  key  from  passive  adversaries  (eavesdroppers),  but  not  from 

2 A side  effect  of  using  K = v is  that  A no  longer  directly  controls  the  key  value,  transforming  the  key  transport 
protocol  into  a key  agreement.  Alternately,  a random  x could  be  chosen  by  A and  used  as  key  K = x,  and  x could 
be  sent  encrypted  alongside  w . 


Handbook  of  Applied  Cryptography  by  A.  Menezes,  P.  van  Oorschot  and  S.  Vanstone. 


516 


Ch.  12  Key  Establishment  Protocols 


— > Properties 
4-  Protocol 

key 

authentication 

entity 

authentication 

number  of 
messages 

Diffie-Hellman 

none 

none 

2 

ElGamal  key  agreement 

unilateral 

none 

1 

MTI/AO 

mutual  - implicit 

none 

2 

Gunther  (see  Remark  12.63) 

mutual  - implicit 

none 

2 

STS 

mutual  - explicit 

mutual 

3 

Table  12.4:  Selected  key  agreement  protocols. 


active  adversaries  capable  of  intercepting,  modifying,  or  injecting  messages.  Neither  party 
has  assurances  of  the  source  identity  of  the  incoming  message  or  the  identity  of  the  party 
which  may  know  the  resulting  key,  i.e.,  entity  authentication  or  key  authentication. 


12.47  Protocol  Diffie-Hellman  key  agreement  (basic  version) 

SUMMARY:  A and  B each  send  the  other  one  message  over  an  open  channel. 

RESULT:  shared  secret  K known  to  both  parties  A and  B. 

1.  One-time  setup.  An  appropriate  prime  p and  generator  a of  Z*  (2  < a < p — 2)  are 
selected  and  published. 

2.  Protocol  messages. 

A — > B : ax  mod  p (1) 

A «—  B : ay  mod  p (2) 

3.  Protocol  actions.  Perform  the  following  steps  each  time  a shared  key  is  required. 

(a)  A chooses  a random  secret  x,  1 < x < p — 2,  and  sends  B message  (1). 

(b)  B chooses  a random  secret  y,  1 < y < p — 2,  and  sends  A message  (2). 

(c)  B receives  ax  and  computes  the  shared  key  as  K = (ax)y  mod  p. 

(d)  A receives  av  and  computes  the  shared  key  as  K = ( ay)x  mod  p. 


1 2.48  Note  ( Diffie-Hellman  with  fixed  exponentials ) A variation  of  Protocol  12.47  provides  mu- 
tual key  authentication.  Fix  ax  and  ay  mod  p as  long-term  public  keys  of  the  respective 
parties,  and  distribute  these  using  signed  certificates,  thus  fixing  the  long-term  shared  key 
for  this  user  pair  to  K = axy . If  such  certificates  are  available  a priori,  this  becomes  a zero- 
pass  key  agreement  (no  cryptographic  messages  need  be  exchanged).  The  time-invariant 
nature  of  this  key  K,  however,  is  a drawback;  Protocol  12.53  provides  one  resolution.  A 
second  solution  involves  use  of  key  update  techniques  as  in  §12.3. 1 (ii). 

12.49  Remark  (Diffie-Hellman  in  other  groups)  The  Diffie-Hellman  protocol,  and  those  based 
on  it,  can  be  carried  out  in  any  group  in  which  both  the  discrete  logarithm  problem  is  hard 
and  exponentiation  is  efficient.  The  most  common  examples  of  such  groups  used  in  practice 
are  the  multiplicative  group  Z*  of  Zp,  the  analogous  multiplicative  group  of  F 2 and  the 
group  of  points  defined  by  an  elliptic  curve  over  a finite  field. 

1 2.50  Note  (control  over  Diffie-Hellman  key)  While  it  may  appear  as  though  Diffie-Hellman  key 
agreement  allows  each  party  to  guarantee  key  freshness  and  preclude  key  control,  use  of  an 
exponential  with  small  multiplicative  order  restricts  the  order  (and  thereby  value)  of  the 
overall  key.  The  most  degenerate  case  for  Zp  would  be  selection  of  0 as  private  exponent, 
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yielding  an  exponential  with  order  1 and  the  multiplicative  identity  itself  as  the  resulting 
key.  Thus,  either  participant  may  force  the  resulting  key  into  a subset  of  the  original  (naively 
assumed)  range  set.  Relatedly,  some  variants  of  Diffie-Hellman  involving  unauthenticated 
exponentials  are  vulnerable  to  the  following  active  attack.  Assume  a generates  Z*  where 
p = Rq  + 1 (consider  R = 2 and  q prime).  Then  /3  = aq  = a^p~1^R  has  order  R 
(J3  = —1  for  R = 2).  If  A and  B exchange  unauthenticated  short-term  exponentials  ax 
and  av,  an  adversary  may  replace  these  by  ( ax)q  and  ( ay)q , forcing  the  shared  key  to  be 
K = axyq  = f3xy,  which  takes  one  of  only  R values  (+1  or  —1  for  R = 2).  K may  thus 
be  found  by  exhaustive  trial  of  R values.  A more  direct  attack  involves  simply  replacing 
the  exchanged  exponentials  by  +1  or  p — 1 = —1.  This  general  class  of  attacks  may  be 
prevented  by  authenticating  the  exchanged  exponentials,  e.g.,  by  a digital  signature. 

(ii)  EIGamal  key  agreement  in  one-pass 

ElGamal  key  agreement  is  a Diffie-Hellman  variant  providing  a one-pass  protocol  with  uni- 
lateral key  authentication  (of  the  intended  recipient  to  the  originator),  provided  the  public 
key  of  the  recipient  is  known  to  the  originator  a priori.  While  related  to  EIGamal  encryp- 
tion (§8.4),  the  protocol  is  more  simply  Diffie-Hellman  key  agreement  wherein  the  public 
exponential  of  the  recipient  is  fixed  and  has  verifiable  authenticity  (e.g.,  is  embedded  in  a 
certificate). 


12.51  Protocol  ElGamal  key  agreement  (half-certified  Diffie-Hellman) 

SUMMARY:  A sends  to  B a single  message  allowing  one-pass  key  agreement. 
RESULT:  shared  secret  K known  to  both  parties  A and  B. 

1.  One-time  setup  (key  generation  and  publication ).  Each  user  B does  the  following: 
Pick  an  appropriate  prime  p and  generator  a of  Z*. 

Select  a random  integer  6,  1 < b < p — 2,  and  compute  ab  mod  p. 

B publishes  its  public  key  (p,  a,  ab),  keeping  private  key  b secret. 

2.  Protocol  messages. 

A — > B : ax  modp  (1) 

3.  Protocol  actions.  Perform  the  following  steps  each  time  a shared  key  is  required. 

(a)  A obtains  an  authentic  copy  of  B's  public  key  (p,  a,  ab). 

A chooses  a random  integer  x,  1 < x < p — 2,  and  sends  B message  (1). 

A computes  the  key  as  K = ( ab)x  mod  p. 

(b)  B computes  the  same  key  on  receipt  of  message  ( 1)  as  K = ( ax)b  mod  p. 


12.52  Remark  ( assurances  in  one-pass  EIGamal ) The  recipient  in  Protocol  12.51  has  no  cor- 
roboration of  whom  it  shares  the  secret  key  with,  nor  any  key  freshness  assurances.  Neither 
party  obtains  entity  authentication  or  key  confirmation. 

(iii)  MTI  two-pass  key  agreement  protocols 

The  MTI/ AO  variant  (Protocol  12.53)  of  Diffie-Hellman  key  agreement  yields,  in  two  mes- 
sages (neither  requiring  signatures),  time-variant  session  keys  with  mutual  (implicit)  key 
authentication  against  passive  attacks.  As  in  ElGamal  key  agreement  (Protocol  12.51),  A 
sends  to  B a single  message,  resulting  in  the  shared  key  K.  B independently  initiates  an 
analogous  protocol  with  A.  resulting  in  the  shared  key  K’ . Each  of  A and  B then  computes 
k = KK’  mod  p (p  and  a are  global  parameters  now).  Neither  entity  authentication  nor 
key  confirmation  is  provided.  Although  appropriate  for  applications  where  only  passive 
attacks  are  possible,  this  protocol  is  vulnerable  to  certain  active  attacks  (see  Note  12.54). 
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12.53  Protocol  MTI/AO  key  agreement 

SUMMARY:  two-pass  Diffie-Hellman  key  agreement  secure  against  passive  attacks. 

RESULT:  shared  secret  K known  to  both  parties  A and  B. 

1.  One-time  setup.  Select  and  publish  (in  a manner  guaranteeing  authenticity)  an  ap- 
propriate system  prime  p and  generator  a of  Z*,  2 < a < p 2.  A selects  as  a 
long-term  private  key  a random  integer  a,  1 < a < p — 2,  and  computes  a long-term 
public  key  za  = aa  mod  p.  (B  has  analogous  keys  b , zb-)  A and  B have  access  to 
authenticated  copies  of  each  other’s  long-term  public  key. 

2.  Protocol  messages. 

A — > B : ax  mod  p (1) 

A t—  B : ay  mod  p (2) 

3.  Protocol  actions.  Perform  the  following  steps  each  time  a shared  key  is  required. 

(a)  A chooses  a random  secret  x,  1 < x < p — 2,  and  sends  B message  (1). 

(b)  B chooses  a random  secret  y,  1 < y < p — 2,  and  sends  A message  (2). 

(c)  A computes  the  key  k = ( av)aZBx  mod  p. 

(d)  B computes  the  key  k = ( ax)bZAv  mod  p.  (Both  parties  now  share  the  key 
k = abx+ay  mod  p.) 


Table  12.5  summarizes  Protocol  12.53  and  three  related  two-pass  protocols.  All  four  of 
these  MTI  protocols  provide  mutual  key  authentication  without  key  confirmation  or  entity 
authentication,  and  are  role-symmetric:  each  party  executes  directly  analogous  operations. 
The  protocols  are  also  message-independent  per  Definition  12.12  (neither  party  requires 
receipt  of  the  other’s  message  before  sending  its  own),  although  three  of  the  four  require  a 
priori  access  to  the  other  party’s  authentic  public  key.  The  remaining  protocol  - MTI/AO  - 
does  not,  and  requires  no  additional  passes  (or  communications  delays)  if  this  is  not  true; 
public  keys  may  be  exchanged  e.g.,  via  certificates  included  with  the  existing  protocol  mes- 
sages. Thus  in  MTI/AO,  the  content  of  both  messages  sent  is  also  independent  (e.g.,  of  the 
identity  and  public  key)  of  the  intended  recipient. 


^Protocol 

rriAB 

rriBA 

Ka 

Kb 

key  K 

MTI/AO 

ax 

ay 

mBAaZBx 

mABbZAy 

abx+ay 

MTI/BO 

ZBX 

ZAV 

msAa  ax 

rriABb  1 ay 

opr+y 

MTI/CO 

ZBX 

ZAV 

m,BAa  ±x 

m,ABb  Ly 

axy 

MTI/C1 

ZBXa 

ZAVb 

mBAx 

mABy 

aabxy 

Table  12.5:  Selected  MTI  key  agreement  protocols.  A and  B have  long-term  secrets  a and  b,  re- 
spectively, verifiably  authentic  corresponding  long-term  public  keys  za  = a“,  zb  = ab  mod  p,  and 
random  per-session  secrets  x and  y,  respectively,  ttiab  denotes  the  message  A sends  to  B;  tuba  is 
analogous.  Ka  and  Kb  are  the  final  key  K as  computed  by  A and  B. 


12.54  Note  ( source-substitution  attack  on  MTI/AO)  As  a general  rule  in  all  public-key  proto- 
cols (including  Table  12.5),  prior  to  accepting  the  authenticated  public  key  of  a party  A , 
a party  B should  have  assurance  (either  direct  or  through  a trusted  third  party)  that  A actu- 
ally knows  the  corresponding  private  key.  Otherwise,  an  adversary  C may  claim  A’s  public 
key  as  its  own,  allowing  possible  attacks,  such  as  that  on  MTI/AO  as  follows.  Assume  that 
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in  a particular  implementation,  A sends  to  B its  certified  public  key  in  a certificate  appended 
to  message  (1).  C registers  ,4’s  public  key  as  its  own  (legitimately  proving  its  own  identity 
to  the  certificate-creating  party).  When  A sends  B message  (1),  C replaces  A’s  certificate 
with  its  own,  effectively  changing  the  source  indication  (but  leaving  the  exponential  ax  sent 
by  A to  B unchanged).  C forwards  B's  response  ay  to  A.  B concludes  that  subsequently 
received  messages  encrypted  by  the  key  k = abx+ay  originated  from  C,  whereas,  in  fact, 
it  is  only  A who  knows  k and  can  originate  such  messages. 

A more  complicated  attack  achieves  the  same,  with  C’ s public  key  differing  from  A’s 
public  key  za-  C selects  an  integer  e,  computes  (za)'  = aae,  and  registers  the  public  key 
aae.  C then  modifies  ay  sent  by  B in  message  (2)  to  ( av)e . A and  B each  compute  the 
key  k = aaeyaxb,  which  A believes  is  shared  with  B (and  is),  while  B believes  it  is  shared 
with  C. 

In  both  variations,  C is  not  actually  able  to  compute  k itself,  but  rather  causes  B to  have 
false  beliefs.  Such  attacks  may  be  prevented  by  modifying  the  protocol  such  that  the  expo- 
nentials are  authenticated  (cf.  Note  12.50),  and  binding  key  confirmation  evidence  to  an  au- 
thenticated source  indication,  e.g.,  through  a digital  signature  (cf.  Remark  12.58).  The  MTI 
protocols  are,  however,  also  subject  to  certain  theoretical  known-key  attacks  (see  p.538). 

1 2.55  Remark  ( implications  of  message  independence ) Protocols  such  as  MTI/AO  “leak”  no  in- 
formation about  long-term  secrets,  since  the  exchanged  messages  are  independent  thereof. 
However,  such  protocols  in  which  each  party’s  message  is  independent  of  the  other’s,  and 
yet  the  session  key  depends  on  fresh  input  from  each,  cannot  provide  mutual  explicit  key 
authentication. 

12.56  Remark  ( computational  complexity  of  MTI  protocols)  The  AO  and  BO  protocols  require 
3 exponentiations  by  each  party,  whereas  the  CO  and  Cl  protocols  require  only  2.  Cl  has 
the  additional  advantage  over  BO  and  CO  that  no  inverses  are  needed;  however,  these  fixed 
long-term  values  may  be  precomputed. 

(iv)  Station-to-Station  protocol  (STS) 

The  following  three -pass  variation  of  the  basic  Diffie-Hellman  protocol  allows  the  estab- 
lishment of  a shared  secret  key  between  two  parties  with  mutual  entity  authentication  and 
mutual  explicit  key  authentication.  The  protocol  also  facilitates  anonymity  - the  identities 
of  A and  B may  be  protected  from  eavesdroppers.  The  method  employs  digital  signatures; 
the  description  below  is  for  the  specific  case  of  RSA  signatures. 


12.57  Protocol  Station-to-Station  protocol  (STS) 

SUMMARY:  parties  A and  B exchange  3 messages. 

RESULT:  key  agreement,  mutual  entity  authentication,  explicit  key  authentication. 

1.  Notation.  E is  a symmetric  encryption  algorithm. 

S'yi(m)  denotes  A’s  signature  on  m,  defined  as:  S'yi(m)  = ( H (m))dA  mod  ua  (i.e., 
RSA  preceded  by  an  appropriate  one-way  hash  function  H , H (m)  < n a )■ 

2.  One-time  setup  (definition  and  publication  of  system  parameters). 

(a)  Select  and  publish  an  appropriate  system  prime  p and  generator  a of  Z*.  2 < 
a < p — 2.  (For  additional  security,  each  party  may  have  its  own  unique  such 
parameters  as  part  of  its  public  key.) 

(b)  Each  user  A selects  RSA  public  and  private  signature  keys  (e,i,  n a ) and  d\. 
respectively  (B  has  analogous  keys).  Assume  each  party  has  access  to  authentic 
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copies  of  the  other’s  public  key  (if  not,  certificates  can  be  included  in  existing 
messages  (2)  and  (3)). 

3.  Protocol  messages. 

ax  mod  p (1) 

a*  modp,  Ek(SB(aV,  ax))  (2) 

Ek(SA(ax , ay))  (3) 

4.  Protocol  actions.  Perform  the  following  steps  each  time  a shared  key  is  required. 

The  protocol  is  aborted  (with  failure)  immediately  upon  any  signature  failure. 

(a)  A generates  a secret  random  x,  1 < x < p 2,  and  sends  B message  (1). 

(b)  B generates  a secret  random  y,  1 < y < p — 2,  and  computes  the  shared  key 
k = (ax)y  mod  p.  B signs  the  concatenation  of  both  exponentials  ordered  as 
in  (2),  encrypts  this  using  the  computed  key,  and  sends  A message  (2). 

(c)  A computes  the  shared  key  k — (ay)x  mod  p,  decrypts  the  encrypted  data,  and 
uses  B’ s public  key  to  verify  the  received  value  as  the  signature  on  the  hash 
of  the  cleartext  exponential  received  and  the  exponential  sent  in  message  (1). 
Upon  successful  verification,  A accepts  that  k is  actually  shared  with  B.  and 
sends  B an  analogous  message  (3). 

(d)  B similarly  decrypts  the  received  message  (3)  and  verifies  A’s  signature  therein. 
If  successful,  B accepts  that  k is  actually  shared  with  A. 


A<m  B 
4 ->  B 


The  attack  of  Note  12.50  is  precluded  in  the  STS  protocol  due  to  the  signatures  over 
the  exchanged  exponentials. 

1 2.58  Remark  ( key  confirmation  in  STS  protocol)  Encryption  under  key  k provides  mutual  key 
confirmation  plus  allows  the  conclusion  that  the  party  knowing  the  key  is  that  which  signed 
the  exponentials.  The  optimal  use  of  this  protocol  occurs  when  all  subsequent  messages  are 
also  to  be  encrypted  under  key  k\  if  this  is  not  the  case,  alternate  means  of  key  confirmation 
avoiding  encryption  may  be  preferable.  One  alternative  is  to  use  a MAC  in  messages  (2)  and 
(3),  e.g.,  for  s = Sa{&x,  ay),  A — > B : (s,MACt(s)).  A second  alternative  is  inclusion  of 
a one-way  hash  of  k within  the  signed  messages,  e.g.,  A — > B : Sa(<*x , ay , h(k))  where 
here  h(k)  may  be  replaced  by  k alone  if  the  signature  process  itself  employs  an  appropriate 
one-way  hash. 


12.6.2  Implicitly-certified  public  keys 

In  contrast  both  to  systems  which  use  public -key  certificates  (§13.4.2)  and  to  identity-based 
systems  (§13.4.3),  an  alternate  approach  to  distributing  public  keys  involves  implicitly- 
certified  public  keys,  for  which  a framework  is  provided  in  §13.4.4.  Use  of  the  word  implicit 
here  is  consistent  with  that  in  the  term  (implicit)  key  authentication.  The  current  section 
presents  several  specific  techniques  involving  implicitly-certified  public  keys. 

(i)  Implicitly-certified  public  keys  (of  Gunther) 

Mechanism  12.59  provides  a method  by  which  a trusted  party  may  create  a Diffie-Hellman 
public  key  rs  mod  p for  an  entity,  with  the  key  being  implicitly-certified.  Such  public  keys, 
which  may  be  reconstructed  from  public  data,  may  be  used  in  key  agreement  protocols  re- 
quiring certified  Diffie-Hellman  public  keys  (e.g.,  zA  in  Protocol  12.53)  as  an  alternative  to 
transporting  these  keys  by  public-key  certificates,  or  in  customized  protocols  such  as  Pro- 
tocol 12.62. 
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12.59  Mechanism  Gunther's  implicitly-certified  (identity-based)  public  keys 

SUMMARY:  a trusted  party  T creates  an  implicitly-certified,  publicly-recoverable  Diffie- 
Hellman  public  key  for  A,  and  transfers  to  A the  corresponding  private  key. 

1 . A trusted  server  T selects  an  appropriate  fixed  public  prime  p and  generator  a of  Z* . 
T selects  a random  integer  t,  with  1 < t < p — 2 and  gcd (t,p  — 1)  = 1 as  its  private 
key,  and  publishes  its  public  key  u = a1  mod  p,  along  with  a,  p. 

2.  T assigns  to  each  party  A a unique  distinguished  name  or  identifying  string  I a (e.g., 
name  and  address),  and  a random  integer  k\  with  gcd (kA,p  — 1)  = 1 . T then  com- 
putes Pa  = ofA  mod  p.  (Pa  is  A’s  reconstruction  public  data,  allowing  other  par- 
ties to  compute  (Pa)11  below.  The  gcd  condition  ensures  that  Pa  itself  is  a generator.) 

3.  Using  a suitable  hash  function  h,  T solves  the  following  equation  for  a (restarting 
with  a new  Ica  if  a = 0): 

/)( /.i)  = t ■ Pa  + Ica  • a.  (mod  p — 1).  (12.1) 

4.  T securely  transmits  to  A the  pair  (r,  s)  = (Pa,  a),  which  is  T’s  ElGamal  signature 
(see  Chapter  11)  on  I a-  (a  is  A’s  private  key  for  Diffie-Hellman  key-agreement.) 

5.  Any  other  party  can  then  reconstruct  A’s  (Diffie-Hellman)  public  key  Pa"  (=  akAa) 
entirely  from  publicly  available  information  (a,  I a,  u.  Pa,  p)  by  computing  (since 

uWa)  = uPa  . pA<>). 

PAa  = ah^lA)  ■ u-Pa  mod  p.  (12.2) 


The  above  mechanism  can  be  generalized  to  be  independent  of  ElGamal  signatures,  by 
using  any  suitable  alternate  method  to  generate  a pair  (r,  s)  where  r is  used  as  the  recon- 
struction public  data,  the  secret  s is  used  as  a (key-agreement)  private  key,  and  whereby  the 
reconstructed  public  key  rs  mod  p can  be  computed  from  public  information  alone. 

12.60  Remark  ( optimization  of  ElGamal  signatures)  Equation  (12.1)  can  be  replaced  by  using 
the  following  optimization  of  the  ElGamal  signature  scheme,  where  gcd (t,p  — 1)  = 1: 

h(IA)  = t ■ a + Ua  ■ Pa  (mod  p — 1). 

To  solve  for  a then  requires  a one-time  inverse  computation  (f-1  mod  p — 1)  rather  than  the 
per-signature  inverse  computation  ((7v_,i)  ] mod  p — 1)  required  by  the  original  signature 
scheme.  With  this  modification,  A’s  key-agreement  public  key  is  u"  (=  ata)  rather  than 
Pa0,  (=  akAa),  correspondingly  recovered  by  computing 

ah(iA)  . p-PA  mod  p (=  ata  mod  p).  (12.3) 

(ii)  Self-certified  public  keys  (of  Girault) 

Mechanism  12.61,  which  is  employed  in  several  protocols  in  §12.6.3,  presents  a technique 
for  creating  implicitly-certified  public  keys.  It  differs  from  that  of  Mechanism  12.59  in  that 
it  allows  users  to  “self-certify”  the  keys,  in  the  sense  that  the  user  itself  is  the  only  party 
knowing  the  private  key  (as  opposed  to  the  trusted  party  having  access  to  each  party’s  pri- 
vate key). 
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12.61  Mechanism  Girault's  self-certified  public  keys 

SUMMARY:  a trusted  party  T creates  an  implicitly-certified,  publicly-recoverable  Diffie- 
Hellman  public  key  for  party  A , without  learning  the  corresponding  private  key. 

1.  A trusted  server  T selects  secret  primes  p and  q for  an  RSA  integer  n = pq,  an  ele- 
ment a of  maximal  order  in  Z*  (see  Algorithm  4.83),  and  appropriate  integers  e and 
d as  a (public,  private)  RSA  key  pair  for  n. 

2.  T assigns  to  each  party  A a unique  distinguished  name  or  identifying  string  I a (e.g., 
name  and  address). 

3.  Party  A itself  chooses  a private  key  a,  and  provides  the  public  key  a°  mod  n to  T 
in  an  authenticatable  manner,  (a"  is  A’s  key-agreement  public  key.)  Moreover,  A 
provides  proof  to  T that  it  knows  the  corresponding  secret  a.  (This  is  necessary  to 
prevent  a certain  forgery  attack  by  A in  some  ways  analogous  to  that  of  Note  12.54, 
and  might  be  done  by  A producing  for  T a Diffie-Hellman  key  based  on  a"  and  an 
exponential  chosen  by  T.) 

4.  T computes  A’s  reconstruction  public  data  (essentially  replacing  a certificate)  as  P\ 
= ( aa  — I a)  mod  n.  (Thus  ( Pa  + I a)  mod  n = aa  mod  n,  and  from  public 
information  alone,  any  party  can  compute  A’s  public  key,  a°  mod  n.) 


12.6.3  Diffie-Hellman  protocols  using  implicitly-certified  keys 

The  authenticity  of  Diffie-Hellman  exponentials  used  as  public  keys  in  authenticated  key 
agreement  protocols  can  be  established  by  distributing  them  via  public-key  certificates, 
or  by  reconstructing  them  as  implicitly-certified  public  keys  (e.g.,  using  Mechanisms  of 
§12.6.2)  from  publicly  available  parameters.  Protocol  12.62  is  one  example  of  the  lat- 
ter. The  idea  may  be  adopted  to  other  Diffie-Hellman  based  protocols  as  further  illustrated 
by  Examples  12.64,  12.65,  and  12.66  respectively  corresponding  to  the  fixed-key  Diffie- 
Hellman,  ElGamal,  and  MTI/AO  key  agreement  protocols  of  §12.6.1. 


12.62  Protocol  Gunther's  key  agreement  protocol 

SUMMARY:  Diffie-Hellman  based  key  agreement  protocol  between  A and  B. 

RESULT:  A and  B establish  shared  secret  K with  key  authentication. 

1.  One-time  setup  (definition  of  global  parameters).  Using  Mechanism  12.59,  a trusted 
party  T constructs  ElGamal  signatures  (Pa,  a)  and  (Pb,  b)  on  the  identities  I a and 
Ib  of  A and  B.  respectively,  and  gives  these  signatures  respectively  to  A and  B as 
secrets,  along  with  the  following  authentic  public  system  parameters  as  per  Mecha- 
nism 12.59:  a prime  p,  generator  a of  Z*,  and  T’s  public  key  u. 

2.  Protocol  messages. 

I a, Pa  (1) 

Ib,Pb,{Pa)v  mod  p (2) 

(Pb)x  mod p (3) 

3.  Protocol  actions.  Perform  the  following  steps  each  time  a shared  key  is  required. 

(a)  A sends  B message  (1). 

(b)  B generates  a random  integer  y.  1 < y < p — 2,  and  sends  A message  (2). 

(c)  A generates  a random  integer  x,  1 < x < p — 2,  and  sends  B message  (3). 


B 

A<-  B 
B 
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(d)  Key  computation.  As  per  Mechanism  12.59,  A and  B respectively  construct 
the  other’s  identity-based  public  key  (equivalent  to  (Pb)6  and  (Pa)0,  modp, 
respectively).  The  common  key-agreement  key  K (=  akAya+kBbx ) js 
lished  as  A and  B respectively  compute  K = ( PAV)a  ■ (Pb6)*,  K = ( P4°)y  ■ 
(Pb*)6  mod  p. 


Protocol  12.62  is  subject  to  theoretical  known-key  attacks  similar  to  those  which  apply 
to  the  MTI  protocols  (Note  12.54). 

1 2.63  Remark  ( two-pass  Giinther protocol)  In  Protocol  12.62,  a party’s  identity  information  and 
long-term  public  key  (respectively,  I a and  Pa)  are  long-term  parameters.  If  these  are  kno- 
wn to  parties  a priori,  then  this  three -pass  protocol  reduces  to  two  passes.  The  reduced 
protocol  provides  the  same  assurances,  namely,  key  agreement  with  key  authentication,  as 
Protocol  12.62  and  the  two-pass  MTI  schemes  of  Table  12.5,  and  closely  resembles  MTI/AO 
with  respect  to  the  logarithm  of  the  final  key. 

12.64  Example  ( Protocol  GO)  Fixed-key  Diffie-Hellman  key-agreement  (Note  12.48)  may  be 
modified  to  use  implicitly-certified  keys  as  follows.  Using  the  setup  and  notation  as  in  Gi- 
rault’s  self-certified  public  keys  (Mechanism  12.61),  A and  B establish  the  time-invariant 
joint  key  K by  respectively  computing  (Pb)6  + Ib  mod  n (=  ab ) and  (Pa)r  + I a mod 

n (=  aa),  from  which  they  effectively  compute 

K = (ab)a  and  K = ( aa)b  mod  n.  (12.4) 

Alternatively,  the  same  protocol  may  be  modified  to  use  Gunther’s  ID-based  public  keys 
assuming  the  setup  and  notation  as  in  Mechanism  12.59  with  modified  ElGamal  signatures 
as  per  Remark  12.60.  In  this  case,  A and  B respectively  compute  the  other’s  key-agreement 
public  keys  atb  and  ata  by  (12.3),  in  place  of  ab  and  aa  in  (12.4).  □ 

1 2.65  Example  ( Protocol  Gl)  The  one-pass  ElGamal  key  agreement  of  Protocol  12.51  may  be 
modified  to  use  implicitly-certified  keys  as  follows.  Using  the  setup  and  notation  as  in  Gi- 
rault’s  self-certified  public  keys  (Mechanism  12.61),  A chooses  a random  integer  x and 
sends  to  B:  ax  mod  n.  A computes  Pb6  + Ib  mod  n (=  ab).  A and  B establish  the 
time- variant  joint  key  K = abx  mod  n,  by  respectively  computing,  effectively, 

K = ( ab)x  and  K = (cP)6  mod  n.  (12.5) 

The  protocol  may  be  modified  to  use  Gunther’s  ID-based  public  keys  as  follows:  rather 

than  sending  ax  mod  n to  B,  A sends  Pbx  mod  p,  with  Pb  (and  p,  b,  u,  etc.)  defined  as 

in  Mechanism  12.59.  B then  computes  K = (Pb*)6  mod  p,  while  A effectively  computes 
K = ( Pb6)*  mod  p,  having  reconstructed  Pb6  via  equation  (12.2)  on  page  521.  The  re- 
sulting protocol  is  essentially  one-half  of  the  Gunther  key  agreement  of  Protocol  12.62.  A 
related  modification  utilizing  Remark  12.60  involves  A sending  to  B ux  mod  p in  place  of 
Pb*,  the  joint  key  now  being  K = ubx  modp,  computed  by  Aas  K = ( ub)x  with  ub 
computed  per  (12.3),  and  B computing  K = (ux')h  mod  p.  This  final  protocol  then  resem- 
bles (one -half  of)  Protocol  MTI/AO  in  that,  since  the  message  A sends  is  independent  of  the 
recipient  B,  it  may  be  computed  ahead  of  time  before  the  recipient  is  determined.  □ 

12.66  Example  ( Protocol  G2)  The  two-pass  MTI/AO  key  agreement  (Protocol  12.53)  may  be 
modified  to  use  implicitly-certified  keys  as  follows.  Using  the  setup  and  notation  as  in  Gi- 
rault’s  self-certified  public  keys  (Mechanism  12.61),  A chooses  a random  integer  x and 
sends  to  P:  ax  mod  n.  Analogously,  B chooses  a random  integer  y and  sends  to  A:  ay 
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modtt.  A computes  Pse  + Ib  mod  n (=  a6);  B computes  Pac  + 1 a mod  n (=  aa).  A 
and  B then  establish  the  time-variant  common  key  K = aay+bx  (mod  n)  by  respectively 
computing  K = ( ay)a(PBe  + Ib)x  and  K = ( ax)b(PAe  + Ia)v  mod  n.  Alternatively, 
this  protocol  may  be  modified  to  use  Gunther’s  ID-based  public  keys  in  a manner  directly 
analogous  to  that  of  Example  12.64.  □ 

12.67  Example  ( self-certified  version  of  Gunther’s  ID-based  keys)  The  following  modification 
of  Mechanism  12.59  transforms  it  into  a “self-certified”  public-key  scheme  (i.e.,  one  in 
which  the  third  party  does  not  learn  users'  private  keys).  A chooses  a secret  random  v, 
1 < v < p — 1 with  gcd(u,  p — 1)  = 1,  computes  w = av  mod  p,  and  gives  w to  T.  While 
v is  not  given  to  T,  A should  demonstrate  knowledge  of  v to  T (cf.  Note  12.54).  T chooses 
kA  as  before  but  computes  Pa  = wkA  modp  (instead  of:  Pa  = akA).  T solves  equa- 
tion (12.1)  for  a as  before  (using  the  new  Pa)  and  again  gives  A the  pair  (r,  s)  = (Pa,  a). 
A then  calculates  a'  = a ■ v^1  mod  (p  — 1);  it  follows  that  (Pa,  o/)  is  now  T’s  ElGamal 
signature  on  I a (it  is  easily  verified  that  uPa  ■ Pa a = ah(lA^),  and  T does  not  know  a1,  □ 


12.7  Secret  sharing 

Secret  sharing  schemes  are  multi-party  protocols  related  to  key  establishment.  The  original 
motivation  for  secret  sharing  was  the  following.  To  safeguard  cryptographic  keys  from  loss, 
it  is  desirable  to  create  backup  copies.  The  greater  the  number  of  copies  made,  the  greater 
the  risk  of  security  exposure;  the  smaller  the  number,  the  greater  the  risk  that  all  are  lost.  Se- 
cret sharing  schemes  address  this  issue  by  allowing  enhanced  reliability  without  increased 
risk.  They  also  facilitate  distributed  trust  or  shared  control  for  critical  activities  (e.g.,  sign- 
ing corporate  cheques;  opening  bank  vaults),  by  gating  the  critical  action  on  cooperation  by 
t.  of  n users. 

The  idea  of  secret  sharing  is  to  start  with  a secret,  and  divide  it  into  pieces  called  shares 
which  are  distributed  amongst  users  such  that  the  pooled  shares  of  specific  subsets  of  users 
allow  reconstruction  of  the  original  secret.  This  may  be  viewed  as  a key  pre-distribution 
technique,  facilitating  one-time  key  establishment,  wherein  the  recovered  key  is  pre-deter- 
mined  (static),  and,  in  the  basic  case,  the  same  for  all  groups. 

A secret  sharing  scheme  may  serve  as  a shared  control  scheme  if  inputs  (shares)  from 
two  or  more  users  are  required  to  enable  a critical  action  (perhaps  the  recovered  key  allows 
this  action  to  trigger,  or  the  recovery  itself  is  the  critical  action).  In  what  follows,  simple 
shared-control  schemes  introduced  in  § 12.7. 1 are  a subset  of  threshold  schemes  discussed  in 
§12.7.2,  which  are  themselves  a subclass  of  generalized  secret  sharing  schemes  as  described 
in  §12.7.3. 


12.7.1  Simple  shared  control  schemes 

(i)  Dual  control  by  modular  addition 

If  a secret  number  S,  0 < S < to—  1 for  some  integer  to,  must  be  entered  into  a device  (e.g., 
a seed  key),  but  for  operational  reasons,  it  is  undesirable  that  any  single  individual  (other 
than  a trusted  party)  know  this  number,  the  following  scheme  may  be  used.  A trusted  party 
T generates  a random  number  1 < Si  < to  — 1,  and  gives  the  values  Si  and  S — S i mod  to 
to  two  parties  A and  B,  respectively.  A and  B then  separately  enter  their  values  into  the 
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device,  which  sums  them  modulo  to  to  recover  S.  If  A and  B are  trusted  not  to  collude, 
then  neither  one  has  any  information  about  S,  since  the  value  each  possesses  is  a random 
number  between  0 and  to  — 1 . This  is  an  example  of  a split-knowledge  scheme  - knowledge 
of  the  secret  S is  split  among  two  people.  Any  action  requiring  S is  said  to  be  under  dual 
control  - two  people  are  required  to  trigger  it. 

(ii)  Unanimous  consent  control  by  modular  addition 

The  dual  control  scheme  above  is  easily  generalized  so  that  the  secret  S may  be  divided 
among  t,  users,  all  of  whom  are  required  in  order  to  recover  S,  as  follows:  T generates  t—  1 
independent  random  numbers  5',  , 0 < Si  ■<  m — 1,  1 < i < t — 1.  Parties  Pi  through 
Pt- 1 are  given  S7,  while  Pt  is  given  St  = S — St  mod  to.  The  secret  is  recovered 

as  S = i ‘S'i  mod  to.  Both  here  and  in  the  dual  control  scheme  above,  modulo  to 
operations  may  be  replaced  by  exclusive-OR,  using  data  values  S and  S,  of  fixed  bit-length 
lg  (to). 

12.68  Remark  (technique  for  splitting  keys)  The  individual  key  components  in  a split  control 
scheme  should  be  full-length.  This  provides  greater  security  than  partitioning  an  r-bit  key 
into  1 pieces  of  r/t  bits  each.  For  example,  for  r = 56  and  t = 2,  if  two  parties  are  each 
given  28  bits  of  the  key,  exhaustive  search  by  one  party  requires  only  228  trials,  while  if 
each  party  is  given  a 56-bit  piece,  256  trials  are  necessary. 


12.7.2  Threshold  schemes 

12.69  Definition  A (t.  n)  threshold  scheme  ( t < n)  is  a method  by  which  a trusted  party  com- 
putes secret  shares  Si,  1 < i < n from  an  initial  secret  S,  and  securely  distributes  Si  to 
user  Pi,  such  that  the  following  is  true:  any  t or  more  users  who  pool  their  shares  may  easily 
recover  S,  but  any  group  knowing  only  t 1 or  fewer  shares  may  not.  A perfect  thresh- 
old scheme  is  a threshold  scheme  in  which  knowing  only  t—  1 or  fewer  shares  provide  no 
advantage  (no  information  about  S whatsoever,  in  the  information-theoretic  sense)  to  an 
opponent  over  knowing  no  pieces. 

The  split-knowledge  scheme  of  § 12.7. 1 (i)  is  an  example  of  a (2,  2)  threshold  scheme, 
while  the  unanimous  consent  control  of  §12.7. 1 (ii)  is  a (t.  t)  threshold  scheme. 

1 2.70  Remark  (use  of  threshold  schemes)  If  a threshold  scheme  is  to  be  reused  without  decreased 
security,  controls  are  necessary  to  prevent  participants  from  deducing  the  shares  of  other 
users.  One  method  is  to  prevent  group  members  themselves  from  accessing  the  value  of 
the  recovered  secret,  as  may  be  done  by  using  a trusted  combining  device.  This  is  appro- 
priate for  systems  where  the  objective  is  shared  control,  and  participants  need  only  see  that 
an  action  is  triggered,  rather  than  have  access  to  the  key  itself.  For  example,  each  share 
might  be  stored  on  a chipcard,  and  each  user  might  swipe  its  card  through  a trusted  card 
reader  which  computes  the  secret,  thereby  enabling  the  critical  action  of  opening  an  access 
door. 

Shamir’s  threshold  scheme 

Shamir’s  threshold  scheme  is  based  on  polynomial  interpolation,  and  the  fact  that  a uni- 
variate polynomial  y = f(x)  of  degree  i — 1 is  uniquely  defined  by  t points  (x,- . yf)  with 
distinct  x,  (since  these  define  t linearly  independent  equations  in  t unknowns). 
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1 2.71  Mechanism  Shamir’s  (t,  n)  threshold  scheme 

SUMMARY:  a trusted  party  distributes  shares  of  a secret  S to  n users. 

RESULT:  any  group  of  t users  which  pool  their  shares  can  recover  S. 

1.  Setup.  The  trusted  party  T begins  with  a secret  integer  S > 0 it  wishes  to  distribute 
among  n users. 

(a)  T chooses  a prime  p > max (5:  n),  and  defines  oo  = S. 

(b)  T selects  t—  1 random,  independent  coefficients  a i, .. . , at  _i,0  < aj  <p—l, 
defining  the  random  polynomial  over  Zp,  f(x)  = Y^j= o ajx^ ■ 

(c)  T computes  Si  = f(i)  mod  p,  1 < i < n (or  for  any  n distinct  points  i,  1 < 
i < p — 1),  and  securely  transfers  the  share  5)  to  user  P, , along  with  public 
index  i. 

2.  Pooling  of  shares.  Any  group  of  t or  more  users  pool  their  shares  (see  Remark  12.70). 
Their  shares  provide  t.  distinct  points  (x,  y)  = ( i , Si)  allowing  computation  of  the 
coefficients  aj,  1 < J < t — 1 of  f(x)  by  Lagrange  interpolation  (see  below).  The 
secret  is  recovered  by  noting  /( 0)  = oq  = S. 


The  coefficients  of  an  unknown  polynomial  /( x)  of  degree  less  than  t,  defined  by  points 
(xi,  yf),  1 < i < t,  are  given  by  the  Lagrange  interpolation  formula: 


f(x)=j2yi  n 


X — Xj 
Xi  — Xj 


Since  /( 0)  = ao  = S,  the  shared  secret  may  be  expressed  as: 

t 

S = ^2  CiVi  , where  a = — -jL—  • 

i—  1 1 ^ 

Thus  each  group  member  may  compute  5 as  a linear  combination  of  t shares  y-i,  since  the 
Ci  are  non-secret  constants  (which  for  a fixed  group  of  t users  may  be  pre-comp uted). 


12.72  Note  (properties  of  Shamir’s  threshold  scheme)  Properties  of  Mechanism  12.71  include: 

1.  perfect.  Given  knowledge  of  any  t 1 or  fewer  shares,  all  values  0 < S < p 1 of 
the  shared  secret  remain  equally  probable  (see  Definition  12.69). 

2.  ideal.  The  size  of  one  share  is  the  size  of  the  secret  (see  Definition  12.76). 

3.  extendable  for  new  users.  New  shares  (for  new  users)  may  be  computed  and  dis- 
tributed without  affecting  shares  of  existing  users. 

4.  varying  levels  of  control  possible.  Providing  a single  user  with  multiple  shares  be- 
stows more  control  upon  that  individual.  (In  the  terminology  of  §12.7.3,  this  corre- 
sponds to  changing  the  access  structure.) 

5.  no  unproven  assumptions.  Unlike  many  cryptographic  schemes,  its  security  does 
not  rely  on  any  unproven  assumptions  (e.g.,  about  the  difficulty  of  number-theoretic 
problems). 


12.7.3  Generalized  secret  sharing 

The  idea  of  a threshold  scheme  may  be  broadened  to  a generalized  secret  sharing  scheme  as 
follows.  Given  a set  P of  users,  define  A (the  access  structure ) to  be  a set  of  subsets,  called 
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the  authorized  subsets  of  P.  Shares  are  computed  and  distributed  such  that  the  pooling  of 
shares  corresponding  to  any  authorized  subset  A £ A allows  recovery  of  the  secret  S,  but 
the  pooling  of  shares  corresponding  to  any  unauthorized  subset  B C P,  B f A does  not. 

Threshold  schemes  are  a special  class  of  generalized  secret  sharing  schemes,  in  which 
the  access  structure  consists  of  precisely  all  / -subsets  of  users.  An  access  structure  is  called 
monotone  if,  whenever  a particular  subset  A of  users  is  an  authorized  subset,  then  any  sub- 
set of  P containing  A is  also  authorized.  Monotone  access  structures  are  a requirement  in 
many  applications,  and  most  natural  schemes  are  monotone.  Perfect  secret  sharing  schemes 
have  a monotone  access  structure  as  a consequence  of  the  entropy  formulation  in  Defini- 
tion 12.73. 

1 2.73  Definition  A secret  sharing  scheme  is  perfect  if  the  shares  corresponding  to  each  unautho- 
rized subset  provide  absolutely  no  information,  in  the  information-theoretic  sense,  about  the 
shared  secret  (cf.  Definition  12.69).  More  formally,  where  H denotes  entropy  (see  §2.2.1), 
and  A , B are  sets  of  users  using  the  above  notation:  H(S\A)  = 0 for  any  A e A,  while 
H{S\B)  = H(S)  for  any  B f A. 

The  efficiency  of  a secret  sharing  scheme  is  measured  by  its  information  rate. 

1 2.74  Definition  For  secret  sharing  schemes,  the  information  rate  for  a particular  user  is  the  bit- 
size  ratio  (size  of  the  shared  secret)/(size  of  that  user’s  share).  The  information  rate  for  a 
secret  sharing  scheme  itself  is  the  minimum  such  rate  over  all  users. 

12.75  Fact  (perfect  share  bound ) In  any  perfect  secret  sharing  scheme  the  following  holds  for 
all  user  shares:  (size  of  a user  share)  > (size  of  the  shared  secret).  Consequently,  all  perfect 
secret  sharing  schemes  must  have  information  rate  < 1. 

Justification.  If  any  user  P,  had  a share  of  bit-size  less  than  that  of  the  secret,  knowledge  of 
the  shares  (excepting  that  of  P, ) corresponding  to  any  authorized  set  to  which  P,  belonged, 
would  reduce  the  uncertainty  in  the  secret  to  at  most  that  in  Pf  s share.  Thus  by  definition, 
the  scheme  would  not  be  perfect. 

12.76  Definition  Secret  sharing  schemes  of  rate  1 (see  Definition  12.74)  are  called  ideal. 

As  per  Note  12.72,  Shamir’s  threshold  scheme  is  an  example  of  an  ideal  secret  sharing 
scheme.  Examples  of  access  structures  are  known  for  which  it  has  been  proven  that  ideal 
schemes  do  not  exist. 

Secret  sharing  schemes  with  extended  capabilities 

Secret  sharing  schemes  with  a variety  of  extended  capabilities  exist,  including: 

1.  pre-positioned  secret  sharing  schemes.  All  necessary  secret  information  is  put  in 
place  excepting  a single  (constant)  share  which  must  later  be  communicated,  e.g., 
by  broadcast,  to  activate  the  scheme. 

2.  dynamic  secret  sharing  schemes.  These  are  pre-positioned  schemes  wherein  the  se- 
crets reconstructed  by  various  authorized  subsets  vary  with  the  value  of  communi- 
cated activating  shares. 

3.  multi-secret  threshold  schemes.  In  these  secret  sharing  schemes  different  secrets  are 
associated  with  different  authorized  subsets. 

4.  detection  of  cheaters,  and  verifiable  secret  sharing.  These  schemes  respectively  ad- 
dress cheating  by  one  or  more  group  members,  and  the  distributor  of  the  shares. 
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5.  secret  sharing  with  dis enrollment.  These  schemes  address  the  issue  that  when  a secret 
share  of  a (t,  n)  threshold  scheme  is  made  public,  it  becomes  a (t  — 1,  n ) scheme. 


12.8  Conference  keying 

12.77  Definition  A conference  keying  protocol  is  a generalization  of  two-party  key  establish- 
ment to  provide  three  or  more  parties  with  a shared  secret  key. 

Despite  superficial  resemblance,  conference  keying  protocols  differ  from  dynamic  se- 
cret sharing  schemes  in  fundamental  aspects.  General  requirements  for  conference  keying 
include  that  distinct  groups  recover  distinct  keys  (session  keys);  that  session  keys  are  dy- 
namic (excepting  key  pre-distribution  schemes);  that  the  information  exchanged  between 
parties  is  non-secret  and  transferred  over  open  channels;  and  that  each  party  individually 
computes  the  session  key  (vs.  pooling  shares  in  a black  box).  A typical  application  is  tele- 
phone conference  calls.  The  group  able  to  compute  a session  key  is  called  the  privileged 
subset.  When  a central  point  enables  members  of  a (typically  large)  privileged  subset  to 
share  a key  by  broadcasting  one  or  more  messages,  the  process  resembles  pre-positioned 
secret  sharing  somewhat  and  is  called  broadcast  encryption. 

An  obvious  method  to  establish  a conference  key  K for  a set  of  t > 3 parties  is  to 
arrange  that  each  party  share  a unique  symmetric  key  with  a common  trusted  party.  There- 
after the  trusted  party  may  choose  a new  random  key  and  distribute  it  by  symmetric  key 
transport  individually  to  each  member  of  the  conference  group.  Disadvantages  of  this  ap- 
proach include  the  requirement  of  an  on-line  trusted  third  party,  and  the  communication  and 
computational  burden  on  this  party. 

A related  approach  not  requiring  a trusted  party  involves  a designated  group  member 
(the  chair)  choosing  a key  K,  computing  pairwise  Diffie-Hellman  keys  with  each  other 
group  member,  and  using  such  keys  to  securely  send  K individually  to  each.  A drawback 
of  this  approach  is  the  communication  and  computational  burden  on  the  chair,  and  the  lack 
of  protocol  symmetry  (balance).  Protocol  12.78  offers  an  efficient  alternative,  albeit  more 
complex  in  design. 

Burmester-Desmedt  conference  keying  protocol 

The  following  background  is  of  use  in  understanding  Protocol  12.78.  t users  Uq  through 
Ut-i  with  individual  Diffie-Hellman  exponentials  z,  = ar*  will  form  a conference  key 
K = a’'ori+r1r2+r2r3  + -+rt_1ro_  Define  A,  = ar^+1  = z]i+1  and  Xj  = ari+iri  . 

Noting  Aj  = Aj-iXj,  K may  equivalently  be  written  as  (with  subscripts  taken  modulo  1 ) 

Ki  = AqA\  ■ ■ ■ At- i = Ai-i  AA+i  ■ ■ ■ Aj+(t_2) 

= A-l  ■ (A-iXj)  ■ (.1,  ;.Y;.Y;.  i)  • • • (Aj-1  X;X;+i  ■ ■ ■ Xi+(t_2)). 

Noting  A-i*  = {%i- i)tri,  this  is  seen  to  be  equivalent  to  Kj  as  in  equation  (12.6)  of  Pro- 
tocol 12.78. 


12.78  Protocol  Burmester-Desmedt  conference  keying 

SUMMARY:  t > 2 users  derive  a common  conference  key  K. 

RESULT:  K is  secure  from  attack  by  passive  adversaries. 

1.  One-time  setup.  An  appropriate  prime  p and  generator  a of  Z*  are  selected,  and  au- 
thentic copies  of  these  are  provided  to  each  of  n system  users. 
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2.  Conference  key  generation.  Any  group  of  t < n users  (typically  t <C  n),  derive 
a common  conference  key  K as  follows.  (Without  loss  of  generality,  the  users  are 
labeled  Uq  through  Ut  i,  and  all  indices  j indicating  users  are  taken  modulo  t.) 

(a)  Each  Ui  selects  a random  integer  ry,  1 < ry  < p — 2,  computes  z*  = ar*  modp, 
and  sends  z,;  to  each  of  the  other  t — 1 group  members.  (Assume  that  U,  has  been 
notified  a priori,  of  the  indices  j identifying  other  conference  members.) 

(b)  Each  Ui,  after  receiving  Zj_i  and  Zj+i,  computes  X,;  = (zi+i/zi-i)r*  modp 
(note  Xi  = ari+iri~riri-1),  and  sends  X*  to  each  of  the  other  t — 1 group 
members. 

(c)  After  receiving  Xj,  1 < j < t excluding  j = i,  Ui  computes  K = Ki  as 

Ki  = (*_ rf*  ■ Xi^1  ■ Xm*-2  • • ■ Xi+(i_3)2  • Xi+ft-2)1  mod p (12.6) 


For  small  conferences  (small  t),  the  computation  required  by  each  party  is  small,  since 
all  but  one  exponentiation  in  equation  (12.6)  involves  an  exponent  between  1 and  t.  The 
protocol  requires  an  order  be  established  among  users  in  the  privileged  subset  (for  index- 
ing). For  t = 2,  the  resulting  key  is  K = ( arir 2)2,  the  square  of  the  standard  Diffie- 
Hellman  key.  It  is  provably  as  difficult  for  a passive  adversary  to  deduce  the  conference 
key  K in  Protocol  12.78  as  to  solve  the  Diffie-Hellman  problem. 

Attention  above  has  been  restricted  to  unauthenticated  conference  keying;  additional 
measures  are  required  to  provide  authentication  in  the  presence  of  active  adversaries.  Pro- 
tocol 12.78  as  presented  assumes  a broadcast  model  (each  user  exchanges  messages  with 
all  others);  it  may  also  be  adapted  for  a bi-directional  ring  (wherein  each  user  transmits  only 
to  two  neighbors). 

Unconditionally  secure  conference  keying 

While  conference  keying  schemes  such  as  Protocol  12.78  provide  computational  security, 
protocols  with  the  goal  of  unconditional  security  are  also  of  theoretical  interest.  Related  to 
this,  a generalization  of  Fact  12.34  is  given  below,  for  conferences  of  fixed  size  ( t partici- 
pants from  among  n users)  which  are  information-theoretically  secure  against  conspiracies 
of  up  to  j non-participants.  The  model  for  this  result  is  a non-interactive  protocol,  and  more 
specifically  a key  pre-distribution  scheme;  each  conference  member  computes  the  confer- 
ence key  solely  from  its  own  secret  data  (pre-distributed  by  a server)  and  an  identity  vector 
specifying  (an  ordered  sequence  of)  indices  of  the  other  conference  members. 

1 2.79  Fact  ( Blundo ’s  conference  KDS  bound ) In  any  j-secure  conference  KDS  providing  m-bit 

conference  keys  to  privileged  subsets  of  fixed  size  t,  the  secret  data  stored  by  each  user  must 
be  at  least  m ■ ^ts- 

Fact  12.79  with  t = 2 and  j — n 2 corresponds  to  the  trivial  scheme  (see  p.505) 
where  each  user  has  n — 1 shared  keys  each  of  m bits,  one  for  each  other  user.  A non- 
trivial scheme  meeting  the  bound  of  Fact  12.79  can  be  constructed  as  a generalization  of 
Mechanism  12.35  (see  p.540). 

1 2.80  Remark  ( refinement  of  Fact  12. 79)  A more  precise  statement  of  Fact  12.79  requires  con- 
sideration of  entropy;  the  statement  holds  if  the  conference  keys  in  question  have  m bits  of 
entropy. 
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12.9  Analysis  of  key  establishment  protocols 

The  main  objective  of  this  section  is  to  highlight  the  delicate  nature  of  authenticated  key 
establishment  protocols,  and  the  subtlety  of  design  flaws.  Examples  of  flawed  protocols 
are  included  to  illustrate  typical  attack  strategies,  and  to  discourage  protocol  design  by  the 
novice. 


12.9.1  Attack  strategies  and  classic  protocol  flaws 

The  study  of  successful  attacks  which  have  uncovered  flaws  in  protocols  allows  one  to  leant 
from  previous  design  errors,  understand  general  attack  methods  and  strategies,  and  formu- 
late design  principles.  This  both  motivates  and  allows  an  understanding  of  various  design 
features  of  protocols.  General  attack  strategies  are  discussed  in  §12.2.3.  In  the  specific  ex- 
amples below,  A and  B are  the  legitimate  parties,  and  E is  an  adversary  (enemy).  Two  of 
the  protocols  discussed  are,  in  fact,  authentication-only  protocols  (i.e.,  do  not  involve  key 
establishment),  but  are  included  in  this  discussion  because  common  principles  apply. 

Attack  1 : Intruder-in-the-middle 

The  classic  “intruder-in-the-middle”  attack  on  unauthenticated  Diffie-Hellman  key  agree- 
ment is  as  follows. 

A E B 

->  OLX  ->•  OLX>  — S- 

<—  ay  <—  ay  <— 

A and  B have  private  keys  x and  y,  respectively.  E creates  keys  x'  and  y' . E intercepts 
,4's  exponential  and  replaces  it  by  ax  ; and  intercepts  B's  exponential,  replacing  it  with 
ay  . A forms  session  key  Ka  = axy  , while  B forms  session  key  Kb  = ax  y . E is  able 
to  compute  both  these  keys.  When  A subsequently  sends  a message  to  B encrypted  under 
Ka,  E deciphers  it,  re-enciphers  under  Kb,  and  forwards  it  to  B.  Similarly  E deciphers 
messages  encrypted  by  B (for  A)  under  Kb,  and  re-enciphers  them  under  K \ . A and  B 
believe  they  communicate  securely,  while  E reads  all  traffic. 

Attack  2:  Reflection  attack 

Suppose  A and  B share  a symmetric  key  K,  and  authenticate  one  another  on  the  basis  of 
demonstrating  knowledge  of  this  key  by  encrypting  or  decrypting  a challenge  as  follows. 

A B 


TA 

(1) 

EK{rA,rB)  <r- 

(2) 

tb 

(3) 

An  adversary  E can  impersonate  B as  follows.  Upon  A sending  (1),  E intercepts  it,  and 
initiates  a new  protocol,  sending  the  identical  message  r \ back  to  A as  message  (1)  purport- 
edly from  B.  In  this  second  protocol,  A responds  with  message  (2'):  Ek{ta , i~a'),  which 
E again  intercepts  and  simply  replays  back  on  A as  the  answer  (2)  in  response  to  the  chal- 
lenge 7‘a  in  the  original  protocol.  A then  completes  the  first  protocol,  and  believes  it  has 
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successfully  authenticated  B.  while  in  fact  B has  not  been  involved  in  any  communications. 

A 

e 

->  rA 

(1) 

rA 

«- 

(!') 

-A  EK(rA,rA) 

(2') 

Ek  (r  a,  rB  = r A) 

(2) 

> rB 

(3) 

The  attack  can  be  prevented  by  using  distinct  keys  K and  K'  for  encryptions  from  A to 
B and  B to  A,  respectively.  An  alternate  solution  is  to  avoid  message  symmetry,  e.g.,  by 
including  the  identifier  of  the  originating  party  within  the  encrypted  portion  of  (2). 

Attack  3:  Interleaving  attack 

Consider  the  following  (flawed)  authentication  protocol,  where  .sy\  denotes  the  signature 
operation  of  party  A , and  it  is  assumed  that  all  parties  have  authentic  copies  of  all  others’ 
public  keys. 


A B 

T A (1) 

rB,sB(rB,rA,A ) fe  (2) 

->  rA'  ,sA{rA'  ,rB,B)  (3) 


The  intention  is  that  the  random  numbers  chosen  by  A and  B,  respectively,  together  with  the 
signatures,  provide  a guarantee  of  freshness  and  entity  authentication.  However,  an  enemy 
E can  initiate  one  protocol  with  B (pretending  to  be  A),  and  another  with  A (pretending  to 
be  B),  as  shown  below,  and  use  a message  from  the  latter  protocol  to  successfully  complete 
the  former,  thereby  deceiving  B into  believing  E is  A (and  that  A initiated  the  protocol). 


A 

E 

B 

-» 

rA 

(1) 

rB,sB(rB,rA,A ) <- 

(2) 

tb 

<- 

(!') 

rA'  ,sA(rA'  ,rB,B) 

(2') 

rA  ,sA{rA' ,rB,B) 

(3) 

This  attack  is  possible  due  to  the  message  symmetry  of  (2)  and  (3),  and  may  be  prevented 
by  making  their  structures  differ,  securely  binding  an  identifier  to  each  message  indicating 
a message  number,  or  simply  requiring  the  original  rA  take  the  place  of  rA  in  (3). 

The  implications  of  this  attack  depend  on  the  specific  objectives  the  protocol  was  as- 
sumed to  provide.  Such  specific  objectives  are,  however,  (unfortunately)  often  not  explic- 
itly stated. 

Attack  4:  Misplaced  trust  in  server 

The  Otway-Rees  protocol  (Protocol  12.29)  has  messages  as  follows: 

A^B:  M,A,B,EKat(Na,M,A,B ) (1) 

B — > T : M,A,B,EKm{Na,M,A,B),EKbv{Nb,M,A,B)  (2) 

B^T:  EKAT(NA,k),  EKBT(NB,k)  (3) 

A <—  B : Exat  (Na  , k)  (4) 

Upon  receiving  message  (2),  the  server  must  verify  that  the  encrypted  fields  (M,  A,  B)  in 
both  parts  of  (2)  match,  and  in  addition  that  these  fields  match  the  cleartext  (M,  A,  B).  If  the 
latter  check  is  not  carried  out,  the  protocol  is  open  to  attack  by  an  enemy  E (who  is  another 
authorized  system  user)  impersonating  B as  follows.  E modifies  (2),  replacing  cleartext  B 
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by  E (but  leaving  both  enciphered  versions  of  both  identifiers  A and  B intact),  replacing 
nonce  Nb  by  its  own  nonce  Ne,  and  using  key  Ket  (which  E shares  a priori  with  T) 
in  place  of  Kbt-  Based  on  the  cleartext  identifier  E,  T then  encrypts  part  of  message  (3) 
under  Ket  allowing  E to  recover  fc;  but  A believes,  as  in  the  original  protocol,  that  k is 
shared  with  B.  The  attack  is  summarized  as  follows. 


A B : 

M,  A,  B,  EKat  (Na,  M,  A,  B) 

(1) 

B ->  E : 

M,  A,  B,  EKat  (Na,  M,  A,  B),EKbt 

(nb,m,  A,  B) 

(2) 

E : 

M,  A E,  Ekat  (Na,  M,  A,  B),  EKet 

(. Ne,M,A,B ) 

(2') 

E ^ T : 

Ekat  (Na ,k),  EKet  (Ne , k) 

(3) 

A <-  E : 

EkAt(na,  k ) 

(4) 

The  attack  is  possible  due  to  the  subtle  manner  by  which  A infers  the  identity  of  the 
other  party  to  which  k is  made  available:  in  (4),  A has  no  direct  indication  of  the  other 
party  to  which  T has  made  k available,  but  relies  on  the  nonce  Na  in  (4)  and  its  association 
with  the  pair  (Na,  B)  within  the  protected  part  of  (1).  Thus,  A relies  on  (or  delegates  trust 
to)  the  server  to  make  k available  only  to  the  party  requested  by  A , and  this  can  be  assured 
only  by  T making  use  of  the  protected  fields  (M,  A.  B). 


12.9.2  Analysis  objectives  and  methods 

The  primary  aim  of  protocol  analysis  is  to  establish  confidence  in  the  cryptographic  security 
of  a protocol.  The  following  definitions  aid  discussion  of  protocol  analysis. 

12.81  Definition  A key  establishment  protocol  is  operational  (or  compliant ) if,  in  the  absence 
of  active  adversaries  and  communications  errors,  honest  participants  who  comply  with  its 
specification  always  complete  the  protocol  having  computed  a common  key  and  knowledge 
of  the  identities  of  the  parties  with  whom  the  key  is  shared. 

The  most  obvious  objectives  and  properties  of  key  establishment  protocols,  namely 
authenticity  and  secrecy  of  keys,  are  discussed  in  §12.2.2. 

1 2.82  Definition  A key  establishment  protocol  is  resilient  if  it  is  impossible  for  an  active  adver- 
sary to  mislead  honest  participants  as  to  the  final  outcome. 

Protocol  analysis  should  confirm  that  a protocol  meets  all  claimed  objectives.  As  a 
minimum,  for  a key  establishment  protocol  this  should  include  being  operational  (note  this 
implies  no  security  guarantees),  providing  both  secrecy  and  authenticity  of  the  key,  and 
being  resilient.  Key  authenticity  implies  the  identities  of  the  parties  sharing  the  key  are 
understood  and  corroborated,  thus  addressing  impersonation  and  substitution.  Resilience 
differs  subtlely  from  authentication,  and  is  a somewhat  broader  requirement  (e.g.,  see  the 
attack  of  Note  12.54).  Additional  objectives  beyond  authenticated  key  establishment  may 
include  key  confirmation,  perfect  forward  secrecy,  detection  of  key  re-use,  and  resistance 
to  known-key  attacks  (see  §12.2.3). 

In  addition  to  verifying  objectives  are  met,  additional  benefits  of  analysis  include: 

1.  explicit  identification  of  assumptions  on  which  the  security  of  a protocol  is  based; 

2.  identification  of  protocol  properties,  and  precise  statement  of  its  objectives  (this  fa- 
cilitates comparison  with  other  protocols,  and  determining  appropriateness); 

3.  examination  of  protocol  efficiency  (with  respect  to  bandwidth  and  computation). 
Essentially  all  protocol  analysis  methods  require  the  following  (implicitly  or  explicitly): 
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1.  protocol  specification  - an  unambiguous  specification  of  protocol  messages,  when 
they  are  sent,  and  the  actions  to  be  taken  upon  reception  thereof; 

2.  goals  - an  unambiguous  statement  of  claimed  assurances  upon  completion; 

3.  assumptions  and  initial  state  - a statement  of  assumptions  and  initial  conditions; 

4.  proof  - some  form  of  argument  that,  given  the  assumptions  and  initial  state,  the  spec- 
ified protocol  steps  lead  to  a final  state  meeting  the  claimed  goals. 

Analysis  methods 

Common  approaches  for  analyzing  cryptographic  protocols  include  the  following: 

1 . ad  hoc  and  practical  analysis.  This  approach  consists  of  any  variety  of  convincing 
arguments  that  any  successful  protocol  attack  requires  a resource  level  (e.g.,  time  or 
space)  greater  than  the  resources  of  the  perceived  adversary.  Protocols  which  sur- 
vive such  analysis  are  said  to  have  heuristic  security,  with  security  here  typically 
in  the  computational  sense  and  adversaries  assumed  to  have  fixed  resources.  Argu- 
ments often  presuppose  secure  building  blocks.  Protocols  are  typically  designed  to 
counter  standard  attacks,  and  shown  to  follow  accepted  principles.  Practical  argu- 
ments (paralleling  complexity-theoretic  arguments)  involving  constructions  which 
assemble  basic  building  blocks  may  justify  security  claims. 

While  perhaps  the  most  commonly  used  and  practical  approach,  it  is  in  some  ways  the 
least  satisfying.  This  approach  may  uncover  protocol  flaws  thereby  establishing  that 
a protocol  is  bad.  However,  claims  of  security  may  remain  questionable,  as  subtle 
flaws  in  cryptographic  protocols  typically  escape  ad  hoc  analysis;  unforeseen  attacks 
remain  a threat. 

2.  reducibility  from  hard  problems.  This  technique  consists  of  proving  that  any  success- 
ful protocol  attack  leads  directly  to  the  ability  to  solve  a well-studied  reference  prob- 
lem (Chapter  3),  itself  considered  computationally  infeasible  given  current  knowl- 
edge and  an  adversary  with  bounded  resources.  Such  analysis  yields  so-called prov- 
ably  secure  protocols,  although  the  security  is  conditional  on  the  reference  problem 
being  truly  (rather  than  presumably)  difficult. 

A challenge  in  this  approach  is  to  establish  that  all  possible  attacks  have  been  taken 
into  account,  and  can  in  fact  be  equated  to  solving  the  identified  reference  problems. 
This  approach  is  considered  by  some  to  be  as  good  a practical  analysis  technique  as 
exists.  Such  provably  secure  protocols  belong  to  the  larger  class  of  techniques  which 
are  computationally  secure. 

3.  complexity-theoretic  analysis.  An  appropriate  model  of  computation  is  defined,  and 
adversaries  are  modeled  as  having  polynomial  computational  power  ( they  may  mount 
attacks  involving  time  and  space  polynomial  in  the  size  of  appropriate  security  pa- 
rameters). A security  proof  relative  to  the  model  is  then  constructed.  The  existence 
of  underlying  cryptographic  primitives  with  specified  properties  is  typically  assumed. 
An  objective  is  to  design  cryptographic  protocols  which  require  the  fewest  crypto- 
graphic primitives,  or  the  weakest  assumptions. 

As  the  analysis  is  asymptotic,  care  is  required  to  determine  when  proofs  have  prac- 
tical significance.  Polynomial  attacks  which  are  feasible  under  such  a model  may 
nonetheless  in  practice  be  computationally  infeasible.  Asymptotic  analysis  may  be 
of  limited  relevance  to  concrete  problems  in  practice,  which  have  finite  size.  Despite 
these  issues,  complexity-theoretic  analysis  is  invaluable  for  formulating  fundamental 
principles  and  confirming  intuition. 

4.  information-theoretic  analysis.  This  approach  uses  mathematical  proofs  involving 
entropy  relationships  to  prove  protocols  are  unconditionally  secure.  In  some  cases. 
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this  includes  the  case  where  partial  secrets  are  disclosed  (e.g.,  for  unconditional  se- 
curity against  coalitions  of  fixed  size).  Adversaries  are  modeled  to  have  unbounded 
computing  resources. 

While  unconditional  security  is  ultimately  desirable,  this  approach  is  not  applicable 
to  most  practical  schemes  for  several  reasons.  These  include:  many  schemes,  such 
as  those  based  on  public-key  techniques,  can  at  best  be  computationally  secure;  and 
information-theoretic  schemes  typically  either  involve  keys  of  impractically  large 
size,  or  can  only  be  used  once.  This  approach  cannot  be  combined  with  computa- 
tional complexity  arguments  because  it  allows  unlimited  computation. 

5.  formal  methods.  So-called  formal  analysis  and  verification  methods  include  logics  of 
authentication  (cryptographic  protocol  logics),  term  re-writing  systems,  expert  sys- 
tems, and  various  other  methods  which  combine  algebraic  and  state-transition  tech- 
niques. The  most  popular  protocol  logic  is  the  Burrows-Abadi-Needham  (BAN)  log- 
ic. Logic-based  methods  attempt  to  reason  that  a protocol  is  correct  by  evolving  a set 
of  beliefs  held  by  each  party,  to  eventually  derive  a belief  that  the  protocol  goals  have 
been  obtained. 

This  category  of  analysis  is  somewhat  disjoint  from  the  first  four.  Formal  meth- 
ods have  proven  to  be  of  utility  in  finding  flaws  and  redundancies  in  protocols,  and 
some  are  automatable  to  varying  degrees.  On  the  other  hand,  the  “proofs”  provided 
are  proofs  within  the  specified  formal  system,  and  cannot  be  interpreted  as  absolute 
proofs  of  security.  A one-sidedness  remains:  the  absence  of  discovered  flaws  does 
not  imply  the  absence  of  flaws.  Some  of  these  techniques  are  also  unwieldy,  or  ap- 
plicable only  to  a subset  of  protocols  or  classes  of  attack.  Many  require  (manually) 
converting  a concrete  protocol  into  a formal  specification,  a critical  process  which 
itself  may  be  subject  to  subtle  flaws. 


12.10  Notes  and  further  references 

§12.1 

While  the  literature  is  rife  with  proposals  for  key  establishment  protocols,  few  comprehen- 
sive treatments  exist  and  many  proposed  protocols  are  supported  only  by  ad  hoc  analysis. 

§12.2 

Much  of  § 12.2  builds  on  the  survey  of  Rueppel  and  van  Oorschot  [1086].  Fumy  and  Munz- 
ert  [431]  discuss  properties  and  principles  for  key  establishment.  While  encompassing  the 
majority  of  key  establishment  as  currently  used  in  practice.  Definition  12.2  gives  a some- 
what restricted  view  which  excludes  a rich  body  of  research.  More  generally,  key  establish- 
ment may  be  defined  as  a process  or  mechanism  which  provides  a shared  capability  (rather 
than  simply  a shared  secret)  between  specified  sets  of  participants,  facilitating  some  oper- 
ation for  which  the  intention  is  that  other  sets  of  participants  cannot  execute.  This  broader 
definition  includes  many  protocols  in  the  area  of  threshold  cryptography , introduced  inde- 
pendently by  Desmedt  [336],  Boyd  [182],  and  Croft  and  Flarris  [288];  see  the  comprehen- 
sive survey  of  Desmedt  [337]. 

The  term  perfect  forward  secrecy  (Definition  12.16)  was  coined  by  Gunther  [530];  see  also 
Diffie,  van  Oorschot,  and  Wiener  [348],  Here  “perfect”  does  not  imply  any  properties  of 
information-theoretic  security  (cf.  Definition  12.73).  The  concept  of  known-key  attacks 
(Definition  12.17),  developed  by  Yacobi  and  Shmuely  [1256]  (see  also  Yacobi  [1255]),  is 
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related  to  that  of  Denning  and  Sacco  [330]  on  the  use  of  timestamps  to  prevent  message 
replay  (see  page  535). 

Among  items  not  discussed  in  detail  in  this  chapter  is  quantum  cryptography,  based  on  the 
uncertainty  principle  of  quantum  physics,  and  advanced  by  Bennett  et  al.  [114]  building 
on  the  idea  of  quantum  coding  first  described  by  Wiesner  [1242]  circa  1970.  Although  not 
providing  digital  signatures  or  non-repudiation,  quantum  cryptography  allows  key  distribu- 
tion (between  two  parties  who  share  no  a priori  secret  keying  material),  which  is  provably 
secure  against  adversaries  with  unlimited  computing  power,  provided  the  parties  have  ac- 
cess to  (aside  from  the  quantum  channel)  a conventional  channel  subject  to  only  passive 
adversaries.  For  background  on  the  basic  quantum  channel  for  key  distribution  (quantum 
key  distribution),  see  Brassard  [192];  Phoenix  and  Townsend  [973]  survey  developments 
in  this  area  including  experimental  implementations. 

Mitchell  [879]  presented  a key  agreement  system  based  on  use  of  a public  broadcast  channel 
transmitting  data  at  a rate  so  high  that  an  eavesdropper  cannot  store  all  data  sent  over  a 
specified  time  interval.  This  is  closely  related  to  work  of  Maurer  [815]  regarding  secret  key 
agreement  using  only  publicly  available  information,  in  turn  motivated  by  Wyner’s  wire- 
tap channel  [1254],  which  addresses  the  rate  at  which  secret  information  can  be  conveyed 
to  a communicating  partner  with  security  against  a passive  eavesdropper  whose  channel  is 
subject  to  additional  noise. 

Regarding  point-to-point  techniques  presented,  those  based  on  symmetric  encryption  are 
essentially  from  ISO/IEC  11770-2  [617],  while  AKEP1  and  AKEP2  (Note  12.21;  Proto- 
col 12.20)  are  derived  from  Bellare  and  Rogaway  [94]  (see  also  §12.9  below).  The  idea 
of  key  derivation  allowing  key  establishment  by  symmetric  techniques  based  on  a one- 
way function  (without  encryption),  was  noted  briefly  by  Matsumoto,  Takashima  and  Imai 
[800];  see  also  the  proposals  of  Gong  [499],  and  related  techniques  in  the  KryptoKnight 
suite  [891,  141,  142]. 

Shamir’s  no-key  protocol  (Protocol  12.22;  also  called  Shamir’s  three-pass  protocol),  in- 
cluding exponentiation-based  implementation,  is  attributed  to  Shamir  by  Konheim  [705, 
p.345].  Massey  [786,  p.35]  notes  that  Omura  [792],  aware  of  Shamir’s  generic  protocol, 
later  independently  proposed  implementing  it  with  an  exponentiation-based  cipher  as  per 
Protocol  12.22.  See  also  Massey  and  Omura  [956]  (discussed  in  Chapter  15). 

Version  5 of  Kerberos  (V5),  the  development  of  which  began  in  1989,  was  specified  by 
Kohl  and  Neuman  [1041];  for  a high-level  overview,  see  Neuman  and  Ts’o  [926]  who  also 
note  that  a typical  timestamp  window  is  5 minutes  (centered  around  the  verifier’s  time).  The 
original  design  of  Kerberos  V4  was  by  Miller  and  Neuman,  with  contributions  by  Saltzer 
and  Schiller  [877];  an  overview  is  given  by  Steiner,  Neuman,  and  Schiller  [1171],  while  V4 
issues  are  noted  by  Kohl  [701]  and  the  critique  of  Bellovin  and  Merritt  [103].  The  basic  pro- 
tocol originates  from  the  shared-key  protocol  of  Needham  and  Schroeder  [923],  with  time- 
stamps  (which  Needham  and  Schroeder  explicitly  avoided)  later  proposed  by  Denning  and 
Sacco  [330],  reducing  the  number  of  messages  at  the  expense  of  secure  and  synchronized 
clocks.  Bauer,  Berson,  and  Feiertag  [76]  addressed  symmetric  assurances  of  freshness,  re- 
covery from  single-key  compromise,  and  reduction  of  messages  through  per-participant 
use  of  a local  counter  called  an  event  marker,  they  also  extended  the  Needham-Schroeder 
setting  to  multiple  security  domains  (each  with  a separate  KDC)  and  connectionless  envi- 
ronments. Bellare  and  Rogaway  [96]  presented  an  efficient  4-pass  server-based  key  trans- 
fer protocol  with  implicit  key  authentication,  and  key  freshness  properties  secure  against 
known-key  attacks;  significantly,  their  treatment  (the  first  of  its  kind)  shows  the  protocol  to 


Handbook  of  Applied  Cryptography  by  A.  Menezes,  P.  van  Oorschot  and  S.  Vanstone. 


536 


Ch.  12  Key  Establishment  Protocols 


be  provably  secure  (assuming  a pseudorandom  function).  Advantages  and  disadvantages 
of  using  timestamps  are  discussed  in  §10.3.1. 

Protocol  12.29  is  due  to  Otway  and  Rees  [961].  Kehne,  Schonwalder,  and  Langendorfer 
[663]  discuss  a 5-message  nonce-based  protocol  with  the  same  features  as  Kerberos  (Proto- 
col 12.24),  without  requiring  distributed  timeclocks.  Excluding  the  optional  re-authenticat- 
ion  capability  (as  per  Kerberos),  it  is  essentially  that  of  Mechanism  9 in  ISO/IEC  DIS 
11770-2  [617],  and  similar  to  the  5-message  Otway-Rees  protocol  as  augmented  per  Re- 
mark 12.30  (with  one  fewer  encryption  by  each  of  A and  B)\  but  see  also  the  analysis  of 
Neuman  and  Stubblebine  [925],  A 5-message  authentication  protocol  included  in  ISO/IEC 
9798-2  [599]  provides  key  transport  using  a trusted  server,  with  mutual  entity  authentication 
and  mutual  key  confirmation,  without  timestamps;  Needham  and  Schroeder  [924]  propose 
a 7-message  protocol  with  similar  properties. 

§12.4 

Mechanism  12.35  and  Fact  12.34  are  due  to  Blom  [158];  a simpler  polynomial  formulation 
is  noted  under  §12.8  below.  For  background  in  coding  theory,  see  Mac  Williams  and  Sloane 
[778].  Mitchell  and  Piper  [881]  consider  the  use  of  combinatorial  block  designs  and  finite 
incidence  structures  called  key  distribution  patterns  to  construct  a class  of  non-interactive 
KDS.  Each  user  is  given  a set  of  secret  subkeys  (with  no  algebraic  structure  as  per  Blom’s 
scheme),  from  which  each  pair  of  users  may  compute  a common  key  by  combining  appro- 
priate subkeys  via  a public  function.  The  question  of  reducing  key  storage  was  considered 
earlier  by  Blom  [157],  including  security  against  coalitions  of  fixed  size  and  the  use  of  com- 
mutative functions  (later  generalized  to  symmetric  functions  by  Blundo  et  al.  [169];  see  also 
§12.8  below).  For  related  work,  see  Quinn  [1014],  Gong  and  Wheeler  [506],  and  §12.7  be- 
low. 

§12.5 

Protocol  12.38,  the  public-key  protocol  of  Needham  and  Schroeder  [923],  was  originally 
specified  to  include  4 additional  messages  whereby  signed  public  keys  were  requested  from 
an  on-line  certification  authority.  Asymmetric  key  transport  protocols  involving  various 
combinations  of  encryption  and  signatures  are  given  in  ISO/IEC  CD  11770-3  [618].  The 
three -pass  encrypt-then-sign  protocol  of  §12.5. 2(iii)  originates  from  ISO/IEC  9798-3  [600]; 
it  is  closely  related  to  the  STS  protocol  (Protocol  12.57)  which  transfers  Diffie-Hellman 
exponentials  in  place  of  random  numbers.  I' Anson  and  Mitchell  [567]  critique  (e.g.,  see 
Note  12.42)  the  X. 509  protocols  [595];  see  also  the  formal  analysis  of  Gaarder  and  Snekken- 
es  [433].  Protocol  12.44  and  the  related  2-pass  key  agreement  of  Figure  12.2  are  due  to 
Beller  and  Yacobi  [101,  100],  building  on  work  of  Beller,  Chang,  and  Yacobi  [99,  98,  97]. 

A two-pass  key  transport  protocol  called  COMSET,  based  on  public-key  encryption,  was 
adopted  by  the  European  community  RACE  Integrity  Primitives  Evaluation  ( RIPE)  project 
[178].  Arising  from  zero-knowledge  considerations  studied  by  Brandt  et  al.  [188],  it  em- 
ploys Williams’  variant  of  the  Rabin  public-key  encryption  (§8.3),  and  is  similar  in  some 
aspects  to  the  Needham-Schroeder  public-key  and  Beller- Yacobi  protocols.  The  protocol 
specified  in  Note  12.39  combines  concepts  of  COMSET  and  the  Needham-Schroeder  pro- 
tocol. 

§12.6 

The  landmark  1976  paper  of  Whitfield  Diffie  and  Martin  Heilman  [345]  is  the  standard  ref- 
erence for  both  the  seminal  idea  of  public-key  cryptography  and  the  fundamental  technique 
of  exponential  key  agreement.  An  earlier  conference  paper  of  Diffie  and  Heilman  [344], 
written  in  December  1975  and  presented  in  June  1976,  conceived  the  concept  of  public 
key  agreement  and  the  use  of  public-key  techniques  for  identification  and  digital  signatures. 
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Diffie  [342]  reports  that  amidst  joint  work  on  the  problem  for  some  time,  Heilman  distilled 
exponential  key  agreement  in  May  1976,  and  this  was  added  to  their  June  1976  conference 
presentation  (but  not  the  written  paper).  Preceding  this,  in  the  fall  of  1974,  Merkle  inde- 
pendently conceived  a particular  method  for  key  agreement  using  the  same  abstract  con- 
cepts. Merkle's  puzzle  system  [849],  submitted  for  publication  in  1975  and  appearing  in 
April  1978,  is  as  follows.  Alice  constructs  m puzzles,  each  of  which  is  a cryptogram  Bob 
can  solve  in  n steps  (exhaustively  trying  n keys  until  a recognizable  plaintext  is  found).  Al- 
ice sends  all  to  puzzles  to  Bob  over  an  unsecured  channel.  Bob  picks  one  of  these,  solves 
it  (cost:  n steps),  and  treats  the  plaintext  therein  as  the  agreed  key,  which  he  then  uses  to 
encrypt  and  send  to  Alice  a known  message.  The  encrypted  message,  now  a puzzle  which 
Alice  must  solve,  takes  Alice  n steps  (by  exhaustively  trying  n keys).  For  to  « n,  each 
of  Alice  and  Bob  require  O(n)  steps  for  key  agreement,  while  an  opponent  requires  O (n2 ) 
steps  to  deduce  the  key.  An  appropriate  value  n is  chosen  such  that  n steps  is  computation- 
ally feasible,  but  n 2 is  not. 

Rueppel  [1078]  explores  the  use  of  function  composition  to  generalize  Diffie-Hellman  key 
agreement.  Shmuely  [1127]  and  McCurley  [825]  consider  composite  Diffie-Hellman,  i.e., 
Diffie-Hellman  key  agreement  with  a composite  modulus.  McCurley  presents  a variation 
thereof,  with  an  RS  A-like  modulus  m of  specific  form  and  particular  base  a of  high  order 
in  Z* , , which  is  provably  as  secure  (under  passive  attack)  as  the  more  difficult  of  factoring 
m and  solving  the  discrete  logarithm  problem  modulo  the  factors  of  to. 

Regarding  Diffie-Hellman  key  agreement,  van  Oorschot  and  Wiener  [1209]  note  that  use 
of  “short”  private  exponents  in  conjunction  with  a random  prime  modulus  p (e.g.,  256-bit 
exponents  with  1024-bit  p)  makes  computation  of  discrete  logarithms  easy.  They  also  doc- 
ument the  attack  of  Note  12.50,  which  is  related  to  issues  explored  by  Simmons  [1150]  con- 
cerning a party’s  ability  to  control  the  resulting  Diffie-Hellman  key,  and  more  general  issues 
of  unfairness  in  protocols.  Waldvogel  and  Massey  [1228]  carefully  examine  the  probability 
distribution  and  entropy  of  Diffie-Hellman  keys  under  various  assumptions.  When  private 
exponents  are  chosen  independently  and  uniformly  at  random  from  the  invertible  elements 
of  Zp_i,  the  <f)(p  — 1)  keys  which  may  result  are  equiprobable.  When  private  exponents 
are  chosen  independently  and  uniformly  at  random  from  {0, . . . ,p  — 2}  (as  is  customary  in 
practice),  in  the  best  case  (when  p is  a safe  prime,  p = 2q  + 1,  q prime)  the  most  probable 
Diffie-Hellman  key  is  only  6 times  more  likely  than  the  least  probable,  and  the  key  entropy 
is  less  than  2 bits  shy  of  the  maximum,  lg(p  — 1);  while  in  the  worst  case  (governed  by  a 
particular  factorization  pattern  of  p — 1)  the  distribution  is  still  sufficiently  good  to  preclude 
significant  cryptanalytic  advantage,  for  p of  industrial  size  or  larger. 

The  one-pass  key  agreement  of  Protocol  12.51  was  motivated  by  the  work  of  ElGamal 
[368].  The  MTI  protocols  of  Table  12.5  were  published  in  1986  by  Matsumoto,  Takashima, 
and  Imai  [800],  MTI/A0  is  closely  related  to  a scheme  later  patented  by  Goss  [519]; 
in  the  latter,  exclusive-OR  is  used  in  place  of  modular  multiplication  to  combine  partial 
keys.  Matsumoto  et  al.  equate  the  computational  complexity  of  passive  attacks  (exclud- 
ing known-key  attacks)  on  selected  key  agreement  protocols  to  that  of  one  or  two  Diffie- 
Hellman  problems.  Active  attacks  related  to  Note  12.54  are  considered  by  Diffie,  van 
Oorschot,  and  Wiener  [348],  and  Menezes,  Qu,  and  Vanstone  [844],  Yacobi  and  Shmuely 
[1256]  note  two  time-variant  versions  of  Diffie-Hellman  key  agreement  which  are  inse- 
cure against  known-key  attack.  A similar  protocol  which  falls  to  known-key  attack  was 
discussed  by  Yacobi  [1255],  subsequently  rediscovered  by  Alexandris  et  al.  [21],  and  re- 
examined by  Nyberg  and  Rueppel  [937].  Yacobi  [1255]  proves  that  the  MTI/A0  proto- 
col with  composite-modulus  is  provably  secure  (security  equivalent  to  composite  Diffie- 
Hellman)  under  known-key  attack  by  a passive  adversary;  Desmedt  and  Burmester  [339], 
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however,  note  the  security  is  only  heuristic  under  known-key  attack  by  an  active  adversary. 
A formal-logic  security  comparison  of  the  protocols  of  Goss  (essentially  Protocol  12.53), 
Gunther  (Protocol  12.62),  and  STS  (Protocol  12.57)  is  given  by  van  Oorschot  [1204]. 
Burmester  [220]  identifies  known-key  triangle  attacks  which  may  be  mounted  on  the  for- 
mer two  and  related  protocols  which  provide  only  implicit  key  authentication  (including 
MTI  protocols,  cf.  Note  12.54).  Known-key  attacks  were  also  one  motivation  for  Denning 
and  Sacco  [330]  to  modify  the  Needham-Schroederprotocol  as  discussed  above  (cf.  p.534). 

Protocol  12.57  (STS)  evolved  from  earlier  work  on  ISDN  telephone  security  as  outlined  by 
Diffie  [342,  p.568],  who  also  reports  on  STU-III  telephones.  Variations  of  STS  and  an  infor- 
mal model  for  authentication  and  authenticated  key  establishment  are  discussed  by  Diffie, 
van  Oorschot,  and  Wiener  [348].  Bellovin  and  Merritt  [104, 105]  (see  also  the  patent  [102]) 
propose  another  hybrid  protocol  ( Encrypted  Key  Exchange  - EKE),  involving  exponential 
key  agreement  with  authentication  based  on  a shared  password,  designed  specifically  to 
protect  against  password-guessing  attacks  by  precluding  easy  verification  of  guessed  pass- 
words; Steiner,  Tsudik,  and  Waidner  [1172]  provide  further  analysis  and  extensions.  A hy- 
brid protocol  with  similar  goals  is  given  Gong  et  al.  [504],  including  discussion  of  its  rela- 
tionship to  EKE,  and  expanding  the  earlier  work  of  Lomas  et  al.  [771]. 

Blom  [157]  was  apparently  the  first  to  propose  an  identity-based  (or  more  accurately, 
index-based)  key  establishment  protocol.  Shamir  [1115]  proposed  the  more  general  idea  of 
identity-based  systems  wherein  a user’s  public  key  may  be  a commonly  known  name  and 
address.  For  further  discussion  of  ID-based  schemes,  see  the  chapter  notes  on  §13.4.  Self- 
certified  public  keys  (Mechanism  12.61)  are  discussed  by  Girault  [459],  who  credits  earlier 
work  by  others,  and  provides  the  self-certified  version  of  Gunther’s  ID-based  keys  (Exam- 
ple 12.67).  The  parenthetical  forgery  attack  mentioned  in  Mechanism  12.61  is  outlined  by 
Stinson  [1178].  Key  agreement  protocols  as  in  Examples  12.64  and  12.65,  using  both  ID- 
based  public  keys  of  Gunther  [530]  (Mechanism  12.59)  and  modified  ElGamal  signatures, 
are  given  by  Horster  and  Knobloch  [562].  The  optimization  of  ElGamal  signatures  noted  in 
Remark  12.60  is  by  Agnew,  Mullin,  and  Vanstone  [19].  Rabin's  signature  scheme  (Chap- 
ter 1 1)  may  be  used  in  place  of  RSA  to  reduce  the  computations  required  in  schemes  based 
on  Girault’s  implicitly-certified  public  keys.  Maurer  and  Yacobi  [824]  (modifying  their 
earlier  proposal  [823])  propose  an  identity-based  one-pass  key  pre-distribution  scheme  us- 
ing composite  modulus  Diffie-Hellman,  featuring  implicitly-certified  public  key-agreement 
keys  essentially  consisting  of  a user’s  identity  (or  email  address);  the  corresponding  private 
key  is  the  discrete  logarithm  of  this,  computed  by  a trusted  authority  which,  knowing  the 
factorization  of  an  appropriately  chosen  modulus  n,  can  thereby  compute  logarithms. 

Nyberg  and  Rueppel  [936]  note  their  signature  scheme  (Chapter  11)  may  be  used  to  cre- 
ate implicitly  certified,  identity-based  public  keys  with  properties  similar  to  those  of  Gi- 
rault (Mechanism  12.61),  as  well  as  key  agreement  protocols;  Nyberg  [935]  presents  an  im- 
proved one-pass  key  agreement  based  on  these  ideas.  Okamoto  and  Tanaka  [946]  propose 
identity-based  key  agreement  protocols  combining  exponential  key  agreement  and  RSA, 
including  one  using  timestamps  and  providing  entity  authentication,  and  a simpler  protocol 
providing  (implicit)  key  authentication. 

The  idea  of  split  control  has  long  been  known  (e.g.,  see  Sykes  [1180]).  Shamir  [1110]  and 
Blakley  [148]  independently  proposed  the  idea  of  threshold  schemes,  the  latter  based  on 
vector  subspaces.  The  simplest  example  of  the  Blakley’s  idea  is  a (2,  n)  threshold  scheme 
where  the  shares  (here  called  shadows)  distributed  to  parties  are  non-collinear  lines  in  a 
common  plane;  the  shared  secret  of  any  two  parties  is  the  intersection  of  their  lines.  For  a 
(3,  n)  scheme,  the  shadows  consist  of  non-parallel  planes,  any  two  of  which  intersect  in  a 
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line,  and  any  three  of  which  intersect  in  a point.  While  Shamir’s  threshold  scheme  is  perfect, 
Blakley’s  vector  scheme  is  not  (the  set  of  possible  values  of  the  shared  secret  narrows  as 
subsequent  shares  are  added).  Karnin,  Greene,  and  Heilman  [662]  discuss  the  unanimous 
consent  control  scheme  of  §12.7.1;  see  also  Diffie  and  Heilman  [344,  p.110]. 

Generalized  secret  sharing  schemes  and  the  idea  of  access  structures  were  first  studied  by 
Ito,  Saito,  and  Nishizeki  [625],  who  provided  a construction  illustrating  that  any  monotone 
access  structure  can  be  realized  by  a perfect  secret  sharing  scheme.  Benaloh  and  Leichter 
[112]  provided  more  elegant  constructions.  A comprehensive  discussion  of  secret  shar- 
ing including  adaptations  providing  shared  control  capabilities  of  arbitrary  complexity,  and 
many  of  the  extended  capabilities  including  pre-positioned  schemes,  is  given  by  Simmons 
[1145,  1141,  1142],  mainly  with  geometric  illustration.  An  exposition  by  Stinson  [1177] 
addresses  information  rate  in  particular.  Ingemarsson  and  Simmons  [570]  consider  secret 
sharing  schemes  which  do  not  require  a trusted  party. 

Laih  et  al.  [732]  consider  dynamic  secret  sharing  schemes.  Blundo  et  al.  [168]  consider 
pre-positioned  schemes,  dynamic  secret  sharing,  and  bounds  on  share  sizes  and  broadcast 
messages  therein;  Jackson,  Martin,  and  O’Keefe  [629]  examine  related  multi-secret  thresh- 
old schemes.  Blakley  et  al.  [147]  consider  threshold  schemes  with  disenrollment. 

Tompa  and  Woll  [1195]  note  that  an  untrustworthy  participant  U may  cheat  in  Shamir’s 
threshold  scheme  by  submitting  a share  different  than  its  own,  but  carefully  computed  such 
that  pooling  of  shares  provides  other  participants  with  no  information  about  the  secret  S, 
while  allowing  U to  recover  S.  They  propose  modifications  which  (with  high  probability) 
allow  detection  of  cheating,  and  which  prevent  a cheater  U from  actually  obtaining  the  se- 
cret. 

The  related  problem  of  verifiable  secret  sharing,  which  is  of  broader  interest  in  secure  dis- 
tributed computation,  was  introduced  by  Chor  et  al.  [259];  see  also  Benaloh  [110]  and  Feld- 
man [390],  as  well  as  Rabin  and  Ben-Or  [1028].  Here  the  trusted  party  distributing  shares 
might  also  cheat,  and  the  goal  is  to  verify  that  all  distributed  shares  are  consistent  in  the 
sense  that  appropriate  subsets  of  shares  define  the  same  secret.  For  applications  of  verifi- 
able secret  sharing  to  key  escrow,  see  Micali  [863], 

Fact  12.75  is  based  on  the  definition  of  perfect  secret  sharing  and  information-theoretic  se- 
curity, as  is  the  majority  of  research  in  secret  sharing.  Ramp  schemes  with  shares  shorter 
than  the  secret  were  examined  by  Blakley  and  Meadows  [151];  while  trading  off  per- 
fect security  for  shorter  shares,  their  examination  is  nonetheless  information-theoretic.  In 
practice,  a more  appropriate  goal  may  be  computationally  secure  secret  sharing;  here  the 
objective  is  that  if  one  or  more  shares  is  missing,  an  opponent  has  insufficient  informa- 
tion to  (computationally)  recover  the  shared  secret.  This  idea  was  elegantly  addressed  by 
Krawczyk  [715]  as  follows.  To  share  a large  s-bit  secret  S = P (e.g.,  a plaintext  file) 
among  n users,  first  encrypt  it  under  a k- bit  symmetric  key  K as  C = EK (P);  using  a 
perfect  secret  sharing  scheme  such  as  Shamir’s  (t,  n)  scheme,  split  K into  n fc-bit  shares 
K i,...  ,Kn\  then  using  Rabin’s  information  dispersal  algorithm  (IDA)  [1027]  split  C 
into  n pieces  C±, . . . ,Cn  each  of  (s/t)  bits;  finally,  distribute  to  user  [/,:  the  secret  share 
Si  = ( Ki , C, ) . Any  t participants  who  pool  their  shares  can  then  recover  K by  secret  shar- 
ing, C by  IDA,  and  P = S by  decrypting  C using  K.  By  the  remarkable  property  of  IDA, 
the  sum  of  the  sizes  of  the  t pieces  C,  used  is  exactly  the  size  of  the  recovered  secret  S itself 
(which  cannot  be  bettered);  globally,  the  only  space  overhead  is  that  for  the  short  keys  Kt, 
whose  size  k is  independent  of  the  large  secret  S. 

The  clever  idea  of  visual  cryptography  to  facilitate  sharing  (or  encryption)  of  pictures  is  due 
to  Naor  and  Shamir  [919].  The  pixels  of  a (secret)  picture  are  treated  as  individual  secrets 
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to  be  shared.  The  picture  is  split  into  two  or  more  images  each  of  which  contains  one  share 
for  each  original  pixel.  Each  original  pixel  is  split  into  shares  by  subdivision  into  subpixels 
of  appropriate  size,  with  selection  of  appropriate  combinations  of  subpixel  shadings  (black 
and  white)  such  that  stacking  the  images  on  transparencies  reveals  the  original,  while  each 
individual  image  appears  random.  Picture  recovery  requires  no  computation  (it  is  visual); 
anyone  with  all  but  one  of  the  images  still  has  (provably)  no  information. 

An  early  investigation  of  conference  keying  schemes  based  on  Diffie-Hellman  key  agree- 
ment was  undertaken  by  Ingemarsson,  Tang  and  Wong  [571].  The  protocol  of  Burmester 
and  Desmedt  [222]  (Protocol  12.78)  is  the  most  efficient  of  those  which  have  been  proposed 
and  are  provably  secure;  their  work  includes  a review  of  alternate  proposals  and  a thorough 
bibliography.  Research  in  this  area  with  particular  emphasis  on  digital  telephony  includes 
that  of  Brickell,  Lee,  and  Yacobi  [205];  Steer  et  al.  [1169];  and  Heiman  [547]. 

Matsumoto  and  Imai  [799]  systematically  define  (symmetric-key)  key  pre-distribution  sch- 
emes, based  on  symmetric  functions,  for  conferences  of  two  or  more  parties.  Their  propos- 
als are  non-interactive  and  ID-based,  following  the  original  idea  of  two-party  non-interact- 
ive  ID-based  schemes  by  Blom  [157, 158],  including  consideration  of  information-theoretic 
security  against  coalitions  of  fixed  size.  Tsujii  and  Chao  [1197],  among  many  others,  pro- 
pose schemes  in  a similar  setting.  Blundo  et  al.  [169]  both  specialize  the  work  of  Mat- 
sumoto and  Imai,  and  generalize  Blom’s  symmetric  key  distribution  (Mechanism  12.35) 
and  bounds  from  two-party  key  pre-distribution  to  non-interactive  j -secure  conference  key- 
ing schemes  of  fixed  size;  prove  Fact  12.79;  and  provide  a scheme  meeting  this  bound. 
Their  generalization  uses  symmetric  polynomials  in  t variables  for  privileged  subsets  of  size 
t,  yielding  in  the  two-party  case  (t  = 2)  an  equivalent  but  simpler  formulation  of  Blom’s 
scheme:  the  trusted  party  selects  an  appropriate  secret  symmetric  polynomial  f(x,  y)  and 
gives  party  i the  secret  univariate  polynomial  /(*,  y ),  allowing  parties  i and  j to  share  the 
pairwise  key  = f(j,  i).  They  also  consider  an  interactive  model.  Further  examina- 

tion of  interactive  vs.  non-interactive  conferencing  is  undertaken  by  Beimel  and  Chor  [83]. 
Fiat  andNaor  [394]  consider  j-secure  broadcast  encryption  schemes,  and  practical  schemes 
requiring  less  storage;  for  the  former,  Blundo  and  Cresti  [167]  establish  lower  bounds  on 
the  number  of  keys  held  and  the  size  of  user  secrets. 

Berkovits  [116]  gives  constructions  for  creating  secret  broadcasting  schemes  (conference 
keying  schemes  where  all  messages  are  broadcast)  from  (t , n)  threshold  schemes.  Essen- 
tially, for  conferences  with  t members,  a new  (t  1.  2/:  f 1)  threshold  scheme  with  secret 
K is  created  from  the  old,  and  1 new  shares  are  publicly  broadcast  such  that  each  of  the  t 
pre-assigned  secret  shares  of  the  intended  conference  members  serves  as  share  t+ 1,  allow- 
ing recovery  of  the  conference  key  K in  the  new  scheme.  For  related  work  involving  use  of 
polynomial  interpolation,  key  distribution  involving  a trusted  party,  and  broadcasting  keys, 
see  Gong  [502]  and  Just  et  al.  [647]. 

The  intruder-in-the-middle  attack  (Attack  1)  is  discussed  by  Rivest  and  Shamir  [1057], 
who  propose  an  “interlock  protocol”  to  allow  its  detection;  but  see  also  Bellovin  and  Mer- 
ritt [106].  The  reflection  attack  (Attack  2)  is  discussed  by  Mitchell  [880].  Attack  4 on 
the  Otway-Rees  protocol  is  discussed  by  Boyd  and  Mao  [183]  and  van  Oorschot  [1205]. 
The  interleaving  attack  (Attack  3)  is  due  to  Wiener  circa  June  1991  (document  ISO/IEC 
JTC1/SC27  N313,  2 October  1991),  and  discussed  by  Diffie,  van  Oorschot,  and  Wiener 
[348]  along  with  attacks  on  sundry  variations  of  Diffie-Hellman  key  agreement.  Bird  et 
al.  [140]  systematically  examine  interleaving  attacks  on  symmetric-key  protocols,  consider 
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exhaustive  analysis  to  detect  such  attacks,  and  propose  a protocol  resistant  thereto  (namely 
2PP,  included  in  the  IBM  prototype  KryptoKnight  [891];  see  also  [141,  142]). 

Bellare  and  Rogaway  [94],  building  on  the  work  of  earlier  informal  models,  present  a 
complexity-theoretic  communications  model  and  formal  definitions  for  secure  symmetric- 
key  two-party  mutual  authentication  and  authenticated  key  establishment,  taking  known- 
key  attacks  into  account.  They  prove  AKEP1  (Note  12.21)  and  AKEP2  (Protocol  12.20) 
secure  relative  to  this  model,  for  parameters  of  appropriate  size  and  assuming  h and  h!  are 
pseudorandom  functions  or  pseudorandom  permutations;  they  also  suggest  practical  con- 
structions for  pseudorandom  functions  based  on  DES  and  MD5.  Gong  [503]  examines  the 
efficiency  of  various  authentication  protocols  and  proposes  lower  bounds  (e.g.,  on  the  num- 
ber of  message-passes  required). 

The  examples  illustrating  attacks  on  flawed  protocols  are  only  a few  of  countless  docu- 
mented in  the  literature.  Moore  [898]  provides  an  excellent  survey  on  protocol  failure;  see 
also  Anderson  and  Needham  [31]  and  Abadi  and  Needham  [1]  for  sound  engineering  prin- 
ciples. A large  number  of  authenticated  key  establishment  protocols  with  weaknesses  are 
analyzed  using  the  BAN  logic  in  the  highly  recommended  report  of  Burrows,  Abadi,  and 
Needham  [227]  (and  by  the  same  title:  [224,  226,  225]).  Gligor  et  al.  [463]  discuss  the  lim- 
itations of  authentication  logics.  Syverson  [1181]  examines  the  goals  of  formal  logics  for 
protocol  analysis  and  the  utility  of  formal  semantics  as  a reasoning  tool.  Among  the  au- 
thentication logics  evolving  from  BAN  are  those  of  Abadi  and  Tuttle  [2],  Gong,  Needham, 
and  Yahalom  [505],  and  Syverson  and  van  Oorschot  [1183].  The  work  of  Abadi  and  Tuttle 
is  notable  for  its  model  of  computation  and  formal  semantics  relative  to  this  model.  Lamp- 
son  et  al.  [740]  both  provide  a theory  of  authentication  in  distributed  systems  (including 
delegation  and  revocation)  and  discuss  a practical  system  based  on  this  theory. 

One  of  the  first  contributions  to  formal  protocol  analysis  was  that  of  Dolev  and  Yao  [359], 
whose  formal  model,  which  focuses  on  two-party  protocols  for  transmitting  secret  plain- 
texts, facilitates  precise  discussion  of  security  issues.  This  approach  was  augmented  with 
respect  to  message  authentication  and  information  leakage  by  Book  and  Otto  [170].  Three 
general  approaches  to  protocol  analysis  are  discussed  by  Kemmerer,  Meadows,  and  Millen 
[664]  (see  also  Simmons  [1148]):  an  algebraic  approach,  a state  transition  approach,  and 
a logical  approach  (which  can  be  given  a state-transition  semantics).  They  illustrate  sev- 
eral methods  on  a protocol  with  known  flaws  (the  infamous  TMN  protocol  of  Tatebayashi, 
Matsuzaki,  and  Newman  [1188]).  Other  recent  surveys  on  formal  methods  include  that  of 
Meadows  [831],  and  the  comprehensive  survey  of  Rubin  and  Honeyman  [1073].  An  exten- 
sive bibliographic  tour  of  authentication  literature  is  provided  by  Liebl  [765]. 
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13.1  Introduction 

This  chapter  considers  key  management  techniques  for  controlling  the  distribution,  use,  and 
update  of  cryptographic  keys.  Whereas  Chapter  12  focuses  on  details  of  specific  key  estab- 
lishment protocols  which  provide  shared  secret  keys,  here  the  focus  is  on  communications 
models  for  key  establishment  and  use,  classification  and  control  of  keys  based  on  their  in- 
tended use,  techniques  for  the  distribution  of  public  keys,  architectures  supporting  auto- 
mated key  updates  in  distributed  systems,  and  the  roles  of  trusted  third  parties.  Systems 
providing  cryptographic  services  require  techniques  for  initialization  and  key  distribution 
as  well  as  protocols  to  support  on-line  update  of  keying  material,  key  backup/recovery,  re- 
vocation, and  for  managing  certificates  in  certificate-based  systems.  This  chapter  examines 
techniques  related  to  these  issues. 


Chapter  outline 

The  remainder  of  this  chapter  is  organized  as  follows.  §13.2  provides  context  including 
background  definitions,  classification  of  cryptographic  keys,  simple  models  for  key  estab- 
lishment, and  a discussion  of  third  party  roles.  §13.3  considers  techniques  for  distributing 
confidential  keys,  including  key  layering,  key  translation  centers,  and  symmetric-key  cer- 
tificates. §13.4  summarizes  techniques  for  distributing  and  authenticating  public  keys  in- 
cluding authentication  trees,  public-key  certificates,  the  use  of  identity-based  systems,  and 
implicitly-certified  keys.  § 13.5  presents  techniques  for  controlling  the  use  of  keying  mate- 
rial, including  key  notarization  and  control  vectors.  §13.6  considers  methods  for  establish- 
ing trust  in  systems  involving  multiple  domains,  certification  authority  trust  models,  and 
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certification  chains.  The  key  management  life  cycle  is  summarized  in  §13.7,  while  §13.8 
discusses  selected  specialized  third  party  services,  including  trusted  timestamping  and  no- 
tary services  supporting  non-repudiation  of  digital  signatures,  and  key  escrow.  Notes  and 
sources  for  further  information  are  provided  in  §13.9. 


13.2  Background  and  basic  concepts 

A keying  relationship  is  the  state  wherein  communicating  entities  share  common  data  (key- 
ing material ) to  facilitate  cryptographic  techniques.  This  data  may  include  public  or  secret 
keys,  initialization  values,  and  additional  non-secret  parameters. 

13.1  Definition  Key  management  is  the  set  of  techniques  and  procedures  supporting  the  estab- 
lishment and  maintenance  of  keying  relationships  between  authorized  parties. 

Key  management  encompasses  techniques  and  procedures  supporting: 

1 . initialization  of  system  users  within  a domain; 

2.  generation,  distribution,  and  installation  of  keying  material; 

3.  controlling  the  use  of  keying  material; 

4.  update,  revocation,  and  destruction  of  keying  material;  and 

5.  storage,  backup/recovery,  and  archival  of  keying  material. 


13.2.1  Classifying  keys  by  algorithm  type  and  intended  use 

The  terminology  of  Table  13.1  is  used  in  reference  to  keying  material.  A symmetric  cryp- 
tographic system  is  a system  involving  two  transformations  - one  for  the  originator  and 
one  for  the  recipient  - both  of  which  make  use  of  either  the  same  secret  key  (symmetric 
key)  or  two  keys  easily  computed  from  each  other.  An  asymmetric  cryptographic  system 
is  a system  involving  two  related  transformations  - one  defined  by  a public  key  (the  public 
transformation),  and  another  defined  by  a private  key  ( the  private  transformation)  - with  the 
property  that  it  is  computationally  infeasible  to  determine  the  private  transformation  from 
the  public  transformation. 


Term 

Meaning 

private  key,  public  key 
symmetric  key 
secret 

paired  keys  in  an  asymmetric  cryptographic  system 
key  in  a symmetric  (single-key)  cryptographic  system 
adjective  used  to  describe  private  or  symmetric  key 

Table  13.1 : Private,  public,  symmetric,  and  secret  keys. 


Table  13.2  indicates  various  types  of  algorithms  commonly  used  to  achieve  the  spec- 
ified cryptographic  objectives.  Keys  associated  with  these  algorithms  may  be  correspond- 
ingly classified,  for  the  purpose  of  controlling  key  usage  (§13.5).  The  classification  given 
requires  specification  of  both  the  type  of  algorithm  (e.g.,  encryption  vs.  signature)  and  the 
intended  use  (e.g.,  confidentiality  vs.  entity  authentication). 
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j,  Cryptographic  objective  (usage) 

Algorithm  type 

public-key 

symmetric-key 

confidentiality! 

encryption 

encryption 

data  origin  authentication! 

signature 

MAC 

key  agreement 

Diffie-Hellman 

various  methods 

entity  authentication 

(by  challenge-response  protocols) 

1.  signature 

2.  decryption 

3.  customized 

1.  MAC 

2.  encryption 

Table  13.2:  Types  of  algorithms  commonly  used  to  meet  specified  objectives. 

jMay  include  data  integrity,  and  includes  key  transport;  see  also  §13.3.1. 
^Includes  data  integrity;  and  in  the  public-key  case,  non-repudiation. 


13.2.2  Key  management  objectives,  threats,  and  policy 

Key  management  plays  a fundamental  role  in  cryptography  as  the  basis  for  securing  cryp- 
tographic techniques  providing  confidentiality,  entity  authentication,  data  origin  authenti- 
cation, data  integrity,  and  digital  signatures.  The  goal  of  a good  cryptographic  design  is 
to  reduce  more  complex  problems  to  the  proper  management  and  safe-keeping  of  a small 
number  of  cryptographic  keys,  ultimately  secured  through  trust  in  hardware  or  software 
by  physical  isolation  or  procedural  controls.  Reliance  on  physical  and  procedural  secu- 
rity (e.g.,  secured  rooms  with  isolated  equipment),  tamper-resistant  hardware,  and  trust  in  a 
large  number  of  individuals  is  minimized  by  concentrating  trust  in  a small  number  of  easily 
monitored,  controlled,  and  trustworthy  elements. 

Keying  relationships  in  a communications  environment  involve  at  least  two  parties  (a 
sender  and  a receiver)  in  real-time.  In  a storage  environment,  there  may  be  only  a single 
party,  which  stores  and  retrieves  data  at  distinct  points  in  time. 

The  objective  of  key  management  is  to  maintain  keying  relationships  and  keying  ma- 
terial in  a manner  which  counters  relevant  threats,  such  as: 

1 . compromise  of  confidentiality  of  secret  keys. 

2.  compromise  of  authenticity  of  secret  or  public  keys.  Authenticity  requirements  in- 
clude knowledge  or  verifiability  of  the  true  identity  of  the  party  a key  is  shared  or 
associated  with. 

3.  unauthorized  use  of  secret  or  public  keys.  Examples  include  using  a key  which  is  no 
longer  valid,  or  for  other  than  an  intended  purpose  (see  Remark  13.32). 

In  practice,  an  additional  objective  is  conformance  to  a relevant  security  policy. 

Security  policy  and  key  management 

Key  management  is  usually  provided  within  the  context  of  a specific  security  policy.  A se- 
curity policy  explicitly  or  implicitly  defines  the  threats  a system  is  intended  to  address.  The 
policy  may  affect  the  stringency  of  cryptographic  requirements,  depending  on  the  suscepti- 
bility of  the  environment  in  question  to  various  types  of  attack.  Security  policies  typically 
also  specify: 

1.  practices  and  procedures  to  be  followed  in  carrying  out  technical  and  administrative 
aspects  of  key  management,  both  automated  and  manual; 

2.  the  responsibilities  and  accountability  of  each  party  involved;  and 

3.  the  types  of  records  (audit  trail  information ) to  be  kept,  to  support  subsequent  reports 
or  reviews  of  security-related  events. 
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13.2.3  Simple  key  establishment  models 

The  following  key  distribution  problem  motivates  more  efficient  key  establishment  models. 

The  n2  key  distribution  problem 

In  a system  with  n users  involving  symmetric-key  techniques,  if  each  pair  of  users  may 
potentially  need  to  communicate  securely,  then  each  pair  must  share  a distinct  secret  key. 
In  this  case,  each  party  must  have  n 1 secret  keys;  the  overall  number  of  keys  in  the 
system,  which  may  need  to  be  centrally  backed  up,  is  then  n(n  — l)/2,  or  approximately 
n2.  As  the  size  of  a system  increases,  this  number  becomes  unacceptably  large. 

In  systems  based  on  symmetric-key  techniques,  the  solution  is  to  use  centralized  key 
servers;  a star-like  or  spoked-wheel  network  is  set  up,  with  a trusted  third  party  at  the  cen- 
ter or  hub  of  communications  (see  Remark  13.3).  This  addresses  the  n2  key  distribution 
problem,  at  the  cost  of  the  requirement  of  an  on-line  trusted  server,  and  additional  commu- 
nications with  it.  Public-key  techniques  offer  an  alternate  solution. 

Point-to-point  and  centralized  key  management 

Point-to-point  communications  and  centralized  key  management,  using  key  distribution 
centers  or  key  translation  centers,  are  examples  of  simple  key  distribution  (communica- 
tions) models  relevant  to  symmetric-key  systems.  Here  “simple”  implies  involving  at  most 
one  third  party.  These  are  illustrated  in  Figure  13.1  and  described  below,  where  Kxy  de- 
notes a symmetric  key  shared  by  X and  Y . 

(a)  Point-to-point  key  distribution 


K 


(b)  Key  distribution  center  (KDC) 

(i) 


(c)  Key  translation  center  (KTC) 

(i) 


Figure  13.1:  Simple  key  distribution  models  (symmetric-key). 
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1.  point-to-point  mechanisms.  These  involve  two  parties  communicating  directly  (see 
§12.3.1). 

2.  key  distribution  centers  (KDCs).  KDCs  are  used  to  distribute  keys  between  users 
which  share  distinct  keys  with  the  KDC,  but  not  with  each  other. 

A basic  KDC  protocol  proceeds  as  follows. 1 Upon  request  from  A to  share  a key  with 
B , the  KDC  T generates  or  otherwise  acquires  a key  K , then  sends  it  encrypted  under 
K \t  to  A,  along  with  a copy  of  K (for  13)  encrypted  under  Kbt-  Alternatively,  T 
may  communicate  K (seemed  under  Kbt ) to  B directly. 

3.  key  translation  centers  (KTCs).  The  assumptions  and  objectives  of  KTCs  are  as  for 
KDCs  above,  but  here  one  of  the  parties  (e.g..  A)  supplies  the  session  key  rather  than 
the  trusted  center. 

A basic  KTC  protocol  proceeds  as  follows.2  A sends  a key  K to  the  KTC  T encrypted 
under  K at-  The  KTC  deciphers  and  re-enciphers  K under  Kbt,  then  returns  this 
to  A (to  relay  to  B)  or  sends  it  to  B directly. 

KDCs  provide  centralized  key  generation,  while  KTCs  allow  distributed  key  genera- 
tion. Both  are  centralized  techniques  in  that  they  involve  an  on-line  trusted  server. 

1 3.2  Note  ( initial  keying  requirements)  Point-to-point  mechanisms  require  that  A and  B share 
a secret  key  a priori.  Centralized  key  management  involving  a trusted  party  T requires  that 
A and  B each  share  a secret  key  with  T.  These  shared  long-term  keys  are  initially  estab- 
lished by  non-cryptographic,  out-of-band  techniques  providing  confidentiality  and  authen- 
ticity (e.g.,  in  person,  or  by  trusted  courier).  By  comparison,  with  public  keys  confidential- 
ity is  not  required;  initial  distribution  of  these  need  only  guarantee  authenticity. 

1 3.3  Remark  ( centralized  key  management  - pros  and  cons)  Centralized  key  management  in- 
volving third  parties  (KDCs  or  KTCs)  offers  the  advantage  of  key-storage  efficiency:  each 
party  need  maintain  only  one  long-term  secret  key  with  the  trusted  third  party  (rather  than 
one  for  each  potential  communications  partner).  Potential  disadvantages  include;  vulner- 
ability to  loss  of  overall  system  security  if  the  central  node  is  compromised  (providing  an 
attractive  target  to  adversaries);  a performance  bottleneck  if  the  central  node  becomes  over- 
loaded; loss  of  service  if  the  central  node  fails  (a  critical  reliability  point);  and  the  require- 
ment of  an  on-line  trusted  server. 


13.2.4  Roles  of  third  parties 

Below,  trusted  third  parties  (TTPs)  are  first  classified  based  on  their  real-time  interactions 
with  other  entities.  Key  management  functions  provided  by  third  parties  are  then  discussed. 

(i)  In-line,  on-line,  and  off-line  third  parties 

From  a communications  viewpoint,  three  categories  of  third  parties  T can  be  distinguished 
based  on  relative  location  to  and  interaction  with  the  communicating  parties  A and  B (see 
Figure  13.2): 

1.  in-line:  T is  an  intermediary,  serving  as  the  real-time  means  of  communication  be- 
tween A and  B. 

2.  on-line:  T is  involved  in  real-time  during  each  protocol  instance  (communicating 
with  A or  B or  both),  but  A and  B communicate  directly  rather  than  through  T. 

■’■For  specific  examples  of  such  protocols  including  Kerberos  (Protocol  12.24),  see  §12.3.2. 

2 A specific  example  is  the  message-translation  protocol.  Protocol  13.12.  with  M = K. 
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3.  off-line'.  T is  not  involved  in  the  protocol  in  real-time,  but  prepares  information  a 
priori,  which  is  available  to  A or  B or  both  and  used  during  protocol  execution. 

(a)  in-line 


A 


in-line 

TTP 


(b)  on-line 


(c)  off-line 


Y 


off-line 

TTP 


>, 

[optional] 


y 

A - 


X 

~ B 


communications  carried  out  prior  to  protocol  run 

Figure  13.2:  In-line,  on-line,  and  off-line  third  parties. 

In-line  third  parties  are  of  particular  interest  when  A and  B belong  to  different  secu- 
rity domains  or  cannot  otherwise  interact  directly  due  to  non-interoperable  security  mecha- 
nisms. Examples  of  an  in-line  third  party  include  a KDC  or  KTC  which  provides  the  com- 
munications path  between  A and  13,  as  in  Figure  13.1(b)(ii)  or  (c)(ii).  Parts  (b)(i)  and  (c)(i) 
illustrate  examples  of  on-line  third  parties  which  are  not  in-line.  An  example  of  an  off-line 
third  party  is  a certification  authority  producing  public-key  certificates  and  placing  them  in 
a public  directory;  here,  the  directory  may  be  an  on-line  third  party,  but  the  certification 
authority  is  not. 

13.4  Remark  (pros  and  cons:  in-line,  on-line,  off-line)  Protocols  with  off-line  third  parties  usu- 
ally involve  fewer  real-time  message  exchanges,  and  do  not  require  real-time  availability  of 
third  parties.  Revocation  of  privileges  (e.g.,  if  a secret  key  is  compromised)  is  more  easily 
handled  by  in-line  or  on-line  third  parties. 

(ii)  Third  party  functions  related  to  public-key  certificates 

Potential  roles  played  by  third  parties  within  a key  management  system  involving  public- 
key  certificates  (§13.4.2)  are  listed  below.  Their  relationship  is  illustrated  in  Figure  13.3. 

1.  certification  authority  (CA)  - responsible  for  establishing  and  vouching  for  the  au- 
thenticity of  public  keys.  In  certificate-based  systems  (§13.4.2),  this  includes  binding 
public  keys  to  distinguished  names  through  signed  certificates,  managing  certificate 
serial  numbers,  and  certificate  revocation.3 

Certificate  creation  requires  verification  of  the  authenticity  of  the  entity  to  be  associated  with  the  public  key. 
This  authentication  may  be  delegated  to  a registration  authority.  The  CA  may  carry  out  the  combined  functions 
of  a registration  authority,  name  server,  and  key  generation  facility;  such  a combined  facility  is  called  either  a CA 
or  a key  management  facility. 
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2.  name  server  - responsible  for  managing  a name  space  of  unique  user  names  (e.g., 
unique  relative  to  a CA). 

3.  registration  authority  - responsible  for  authorizing  entities,  distinguished  by  unique 
names,  as  members  of  a security  domain.  User  registration  usually  involves  associ- 
ating keying  material  with  the  entity. 

4.  key  generator  - creates  public/private  key  pairs  (and  symmetric  keys  or  passwords). 
This  may  be  part  of  the  user  entity,  part  of  the  CA,  or  an  independent  trusted  system 
component. 

5.  certificate  directory  - a certificate  database  or  server  accessible  for  read-access  by 
users.  The  CA  may  supply  certificates  to  (and  maintain)  the  database,  or  users  may 
manage  their  own  database  entries  (under  appropriate  access  control). 


Figure  13.3:  Third  party  sendees  related  to  public-key  certification. 


(iii)  Other  basic  third  party  functions 

Additional  basic  functions  a trusted  third  party  may  provide  include: 

1 . key  server  ( authentication  server)  - facilitates  key  establishment  between  other  par- 
ties, including  for  entity  authentication.  Examples  include  KDCs  and  KTCs  (§13.2.3). 

2.  key  management  facility  - provides  a number  of  services  including  storage  and  arch- 
ival of  keys,  audit  collection  and  reporting  tools,  and  (in  conjunction  with  a certifi- 
cation authority  or  CA)  enforcement  of  life  cycle  requirements  including  updating 
and  revoking  keys.  The  associated  key  server  or  certification  authority  may  provide 
a record  (audit  trail)  of  all  events  related  to  key  generation  and  update,  certificate  gen- 
eration and  revocation,  etc. 

13.5  Note  {key  access  server)  A key  server  may  be  generalized  to  a key  access  server,  providing 
shared  keys  under  controlled  access  to  individual  members  of  groups  of  two  or  more  parties, 
as  follows.  A key  K is  securely  deposited  with  the  server  by  party  A along  with  an  access 
control  list  specifying  entities  authorized  to  access  it.  The  server  stores  the  key  and  the 
associated  list.  Subsequently,  entities  contact  the  server  and  request  the  key  by  referencing 
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a key  identifier  supplied  by  A.  Upon  entity  authentication,  the  server  grants  access  to  the 
keying  material  (using  KTC-like  functionality)  if  the  entity  is  authorized. 

1 3.6  Note  ( digital  enveloping  of  files)  A key  access  server  may  be  employed  to  store  a key  K 
used  to  symmetrically  encrypt  a file.  The  source  party  A may  make  the  (encrypted)  file 
available  by  attaching  it  to  the  encrypted  key,  posting  it  to  a public  site,  or  communicating 
it  independently  over  a distinct  (unsecured)  channel.  Retrieval  of  the  key  from  the  server 
by  an  authorized  party  then  allows  that  party  access  to  the  (decrypted)  file.  The  same  end 
goal  can  be  attained  by  public-key  techniques  directly,  without  key  access  servers,  as  fol- 
lows: A encrypts  the  file  under  K as  above;  asymmetrically  encrypts  K using  the  intended 
recipient’s  public  encryption  key  (or  recipients'  keys);  and  includes  the  encrypted  key(s)  in 
a header  field  preceding  the  encrypted  file. 

13.7  Remark  (levels  of  trust  vs.  competency ) Various  third  party  services  require  different  types 
of  tmst  and  competency  in  the  third  party.  For  example,  a third  party  possessing  secret  de- 
cryption keys  (or  entity  authentication  keys)  must  be  tmsted  not  to  disclose  encrypted  in- 
formation ( or  impersonate  users).  A third  party  required  (only)  to  bind  an  encryption  public 
key  to  an  identity  must  still  be  trusted  not  to  create  false  associations  and  thereafter  imper- 
sonate an  entity.  In  general,  three  levels  of  tmst  in  a third  party  T responsible  for  certify- 
ing credentials  for  users  may  be  distinguished.  Level  1:  T knows  each  user’s  secret  key. 
Level  2:  T does  not  know  users’  secret  keys,  but  can  create  false  credentials  without  de- 
tection. Level  3:  T does  not  know  users’  secret  keys,  and  generation  of  false  credentials  is 
detectable. 

(iv)  Advanced  third  party  functions 

Advanced  service  roles  which  may  be  provided  by  trusted  third  parties,  discussed  further 
in  §13.8,  include: 

1.  timestamp  agent  - used  to  assert  the  existence  of  a specified  document  at  a certain 
point  in  time,  or  affix  a trusted  date  to  a transaction  or  digital  message. 

2.  notary  agent  - used  to  verify  digital  signatures  at  a given  point  in  time  to  suppoit 
non-repudiation,  or  more  generally  establish  the  truth  of  any  statement  (which  it  is 
tmsted  on  or  granted  jurisdiction  over)  at  a given  point  in  time. 

3.  key  escrow  agent  - used  to  provide  third-party  access  to  users’  secret  keys  under  spe- 
cial circumstances.  Here  distinction  is  usually  made  between  key  types;  for  example, 
encryption  private  keys  may  need  to  be  escrowed  but  not  signature  private  keys  (cf. 
Remark  13.32). 


13.2.5  Tradeoffs  among  key  establishment  protocols 

A vast  number  of  key  establishment  protocols  are  available  (Chapter  12).  To  choose  from 
among  these  for  a particular  application,  many  factors  aside  from  cryptographic  security 
may  be  relevant.  § 12.2.2  discusses  different  types  of  assurances  provided,  and  characteris- 
tics useful  in  comparing  protocols. 

In  selected  key  management  applications,  hybrid  protocols  involving  both  symmet- 
ric and  asymmetric  techniques  offer  the  best  alternative  (e.g..  Protocol  12.44;  see  also 
Note  13.6).  More  generally,  the  optimal  use  of  available  techniques  generally  involves 
combining  symmetric  techniques  for  bulk  encryption  and  data  integrity  with  public-key 
techniques  for  signatures  and  key  management. 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§ 13.3  Techniques  for  distributing  confidential  keys 


551 


Public-key  vs.  symmetric-key  techniques  (in  key  management) 

Primary  advantages  offered  by  public-key  (vs.  symmetric-key)  techniques  for  applications 
related  to  key  management  include: 

1.  simplified  key  management . To  encrypt  data  for  another  party,  only  the  encryption 
public  key  of  that  party  need  be  obtained.  This  simplifies  key  management  as  only 
authenticity  of  public  keys  is  required,  not  their  secrecy.  Table  13.3  illustrates  the 
case  for  encryption  keys.  The  situation  is  analogous  for  other  types  of  public-key 
pairs,  e.g.,  signature  key  pairs. 

2.  on-line  trusted  sender  not  required.  Public-key  techniques  allow  a trusted  on-line 
server  to  be  replaced  by  a trusted  off-line  server  plus  any  means  for  delivering  au- 
thentic public  keys  (e.g.,  public-key  certificates  and  a public  database  provided  by 
an  untrusted  on-line  server).  For  applications  where  an  on-line  trusted  server  is  not 
mandatory,  this  may  make  the  system  more  amenable  to  scaling,  to  support  very  large 
numbers  of  users. 

3.  enhanced  functionality . Public-key  cryptography  offers  functionality  which  typically 
cannot  be  provided  cost-effectively  by  symmetric  techniques  (without  additional  on- 
line trusted  third  parties  or  customized  secure  hardware).  The  most  notable  such  fea- 
tures are  non-repudiation  of  digital  signatures,  and  true  (single-source)  data  origin 
authentication. 


Symmetric  keys 

Asymmetric  keys 

secrecy 

authenticity 

secrecy 

authenticity 

encryption  key 

yes 

yes 

no 

yes 

decryption  key 

yes 

yes 

yes 

yes 

Table  13.3:  Key  protection  requirements:  symmetric-key  vs.  public-key  systems. 

Figure  13.4  compares  key  management  for  symmetric-key  and  public-key  encryption. 
The  pairwise  secure  channel  in  Figure  13.4(a)  is  often  a trusted  server  with  which  each  party 
communicates.  The  pairwise  authentic  channel  in  Figure  13.4(b)  may  be  replaced  by  a pub- 
lic directory  through  which  public  keys  are  available  via  certificates;  the  public  key  in  this 
case  is  typically  used  to  encrypt  a symmetric  data  key  (cf.  Note  13.6). 


13.3  Techniques  for  distributing  confidential  keys 

Various  techniques  and  protocols  are  available  to  distribute  cryptographic  keys  whose  con- 
fidentiality must  be  preserved  (both  private  keys  and  symmetric  keys).  These  include  the 
use  of  key  layering  (§13.3.1)  and  symmetric-key  certificates  (§13.3.2). 


13.3.1  Key  layering  and  cryptoperiods 

Table  13.2  (page  545)  may  be  used  to  classify  keys  based  on  usage.  The  class  “confiden- 
tiality” may  be  sub-classified  on  the  nature  of  the  information  being  protected:  user  data  vs. 
keying  material.  This  suggests  a natural  key  layering  as  follows: 

1.  master  keys  - keys  at  the  highest  level  in  the  hierarchy,  in  that  they  themselves  are 
not  cryptographically  protected.  They  are  distributed  manually  or  initially  installed 
and  protected  by  procedural  controls  and  physical  or  electronic  isolation. 
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(a)  Symmetric-key  encryption 


(b)  Public-key  encryption 


Figure  13.4:  Key  management:  symmetric-key  vs.  public-key  encryption. 


2.  key-encrypting  keys  - symmetric  keys  or  encryption  public  keys  used  for  key  trans- 
port or  storage  of  other  keys,  e.g.,  in  the  key  transport  protocols  of  Chapter  12.  These 
may  also  be  called  key-transport  keys,  and  may  themselves  be  secured  under  other 
keys. 

3.  data  keys  - used  to  provide  cryptographic  operations  on  user  data  (e.g.,  encryption, 
authentication).  These  are  generally  short-term  symmetric  keys;  however,  asymmet- 
ric signature  private  keys  may  also  be  considered  data  keys,  and  these  are  usually 
longer-term  keys. 

The  keys  at  one  layer  are  used  to  protect  items  at  a lower  level.  This  constraint  is  intended  to 
make  attacks  more  difficult,  and  to  limit  exposure  resulting  from  compromise  of  a specific 
key,  as  discussed  below. 

1 3.8  Note  ( protection  of  key-encrypting  keys)  Compromise  of  a key-encrypting  key  (and  more- 
over, a master  key  as  a special  case  thereof)  affects  all  keys  protected  thereunder.  Conse- 
quently, special  measures  are  used  to  protect  master  keys,  including  severely  limiting  access 
and  use,  hardware  protection,  and  providing  access  to  the  key  only  under  shared  control 
(§12.7.1). 

13.9  Example  ( key  layering  with  master  and  terminal  keys)  Assume  each  terminal  X from  a 
predefined  set  shares  a key-encrypting  key  ( terminal  key)  Kx  with  a trusted  central  node 
C,  and  that  C stores  an  encrypted  list  of  all  terminal  keys  under  a master  key  Km-  C may 
then  provide  a session  key  to  terminals  X and  Y as  follows.  C obtains  a random  value  R 
(possibly  from  an  external  source)  and  defines  the  session  key  to  be  S = Dkm{R),  the 
decryption  of  R under  Km-  Using  Km,  C decrypts  the  key  list  to  obtain  Kx,  computes  S 
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from  R.  then  encrypts  S under  K \ and  transmits  it  to  X.  S is  analogously  transmitted  to 
Y,  and  can  be  recovered  by  both  X and  Y.  □ 

Cryptoperiods,  long-term  keys,  and  short-term  keys 

13.10  Definition  The  cryptoperiod  of  a key  is  the  time  period  over  which  it  is  valid  for  use  by 
legitimate  parties. 

Cryptoperiods  may  serve  to: 

1 . limit  the  information  (related  to  a specific  key)  available  for  cryptanalysis; 

2.  limit  exposure  in  the  case  of  compromise  of  a single  key; 

3.  limit  the  use  of  a particular  technology  to  its  estimated  effective  lifetime;  and 

4.  limit  the  time  available  for  computationally  intensive  cryptanalytic  attacks  (in  appli- 
cations where  long-term  key  protection  is  not  required). 

In  addition  to  the  key  layering  hierarchy  above,  keys  may  be  classified  based  on  tem- 
poral considerations  as  follows. 

1 . long-term  keys.  These  include  master  keys,  often  key-encrypting  keys,  and  keys  used 
to  facilitate  key  agreement. 

2.  short-term  keys.  These  include  keys  established  by  key  transport  or  key  agreement, 
and  often  used  as  data  keys  or  session  keys  for  a single  communications  session.  See 
Remark  13.11. 

In  general,  communications  applications  involve  short-term  keys,  while  data  storage 
applications  require  longer-term  keys.  Long-term  keys  typically  protect  short-term  keys. 
Diffie-Hellman  keys  are  an  exception  in  some  cases  (see  § 12.6.1).  Cryptoperiods  limit  the 
use  of  keys  to  fixed  periods,  after  which  they  must  be  replaced. 

13.11  Remark  ( short-term  use  vs.  protection ) The  term  short  as  used  in  short-term  keys  refers  to 
the  intended  time  of  the  key  usage  by  legitimate  parties,  rather  than  the  protection  lifetime 
(cf.  §13.7.1).  For  example,  an  encryption  key  used  for  only  a single  session  might  nonethe- 
less be  required  to  provide  protection  sufficient  to  withstand  long-term  attack  (perhaps  20 
years),  whereas  if  signatures  are  verified  immediately  and  never  checked  again,  a signature 
key  may  need  to  provide  protection  only  for  a relatively  short  period  of  time.  The  more 
severe  the  consequences  of  a secret  key  being  disclosed,  the  greater  the  reward  to  an  adver- 
sary for  obtaining  access  to  it,  and  the  greater  the  time  or  level  of  effort  an  adversary  will 
invest  to  do  so.  (See  also  §12.2.2,  and  §12.2.3  on  perfect  forward  secrecy.) 


13.3.2  Key  translation  centers  and  symmetric-key  certificates 

Further  to  centralized  key  management  discussed  in  §13.2.3,  this  section  considers  tech- 
niques involving  key  translation  centers,  including  use  of  symmetric-key  certificates. 

(i)  Key  translation  centers 

A key  translation  center  (KTC)  T is  a trusted  server  which  allows  two  parties  A and  B. 
which  do  not  directly  share  keying  material,  to  establish  secure  communications  through 
use  of  long-term  keys  Kat  and  Kbt  they  respectively  share  with  T.  A may  send  a confi- 
dential message  M to  B using  Protocol  13.12.  If  M is  a key  K , this  provides  a key  transfer 
protocol  (cf.  §13.2.3);  thus,  KTCs  provide  translation  of  keys  or  messages. 
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13.12  Protocol  Message  translation  protocol  using  a KTC 

SUMMARY:  A interacts  with  a trusted  server  (KTC)  T and  party  B. 

RESULT:  A transfers  a secret  message  M (or  session  key)  to  B.  See  Note  13.13. 

1.  Notation.  E is  a symmetric  encryption  algorithm.  M may  be  a session  key  K. 

2.  One-time  setup.  A and  T share  key  K at-  Similarly  B and  T share  Kbt- 

3.  Protocol  messages. 

A,  EKat(B,M)  (1) 

EKbt(M,A ) (2) 

EKbt(M,A)  (3) 

4.  Protocol  actions. 

(a)  A encrypts  M (along  with  the  identifier  of  the  intended  recipient)  under  Kat, 
and  sends  this  to  T with  its  own  identifier  (to  allow  T to  look  up  Kat)- 

(b)  Upon  decrypting  the  message,  T determines  it  is  intended  for  B.  looks  up  the 
key  (Kbt)  of  the  indicated  recipient,  and  re-encrypts  M for  B. 

(c)  T returns  the  translated  message  for  A to  send  to  (or  post  in  a public  site  for) 
B\  alternatively,  T may  send  the  response  to  B directly. 


A <-  T 
A^  B 


Only  one  of  A and  B need  communicate  with  T.  As  an  alternative  to  the  protocol  as  given, 
A may  send  the  first  message  to  B directly,  which  B would  then  relay  to  T for  translation, 
with  T responding  directly  to  B. 

13.13  Note  (security  of  Protocol  13.12) 

(i)  The  identifier  A , corresponding  to  the  key  under  which  message  (1)  was  encrypted, 
is  included  in  message  (2)  as  a secure  indication  (to  B)  of  the  original  source.  Key 
notarization  (§13.5.2)  offers  a more  robust  method  of  preventing  key  substitution. 

(ii)  A recognizable  distinction  (e.g.,  re-ordering  the  message  and  identifier  fields)  be- 
tween the  format  of  messages  (1)  and  (2)  is  required  to  prevent  an  adversary  from 
reflecting  (1)  back  to  A as  a message  (3)  purportedly  originating  from  B. 

(iii)  Message  replay  is  possible;  attacks  may  be  detected  through  the  use  of  timestamps 
or  sequence  numbers  within  M.  The  protocol  as  given  provides  no  entity  authenti- 
cation. 

(iv)  An  integrity  check  mechanism  on  the  encrypted  text  should  be  used  to  allow  T to 
detect  tampering  of  the  cleartext  identifier  A in  (1),  as  well  as  in  (2)  and  (3). 

(v)  A chosen-text  attack  on  key  Kbt  in  (2)  may  be  prevented  by  an  encryption  mode 
such  as  CBC,  and  inserting  an  initial  field  containing  a random  number. 

(ii)  Symmetric-key  certificates 

Symmetric-key  certificates  provide  a means  for  a KTC  to  avoid  the  requirement  of  either 
maintaining  a secure  database  of  user  secrets  (or  duplicating  such  a database  for  multiple 
servers),  or  retrieving  such  keys  from  a database  upon  translation  requests. 

As  before,  associated  with  each  party  B is  a key  Kbt  shared  with  T,  which  is  now  em- 
bedded in  a symmetric-key  certificate  Ekt  (Kbt,  B)  encrypted  under  a symmetric  master 
key  Kt  known  only  to  T . (A  lifetime  parameter  L could  also  be  included  in  the  certificate 
as  a validity  period.)  The  certificate  serves  as  a memo  from  T to  itself  (who  alone  can  open 
it),  and  is  given  to  B so  that  B may  subsequently  present  it  back  to  T precisely  when  re- 
quired to  access  BA  symmetric  key  Kbt  for  message  translation.  Rather  than  storing  all 
user  keys,  T now  need  securely  store  only  KT. 
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Symmetric-key  certificates  may  be  used  in  Protocol  13.12  by  changing  only  the  first 
message  as  below,  where  SCertA  = Ekt(Kat , A),  SCertg  = Ekt{Kbt , B): 

A — > T : SCertA,  Ekat{B,M ),  SCertg  (1) 

A public  database  may  be  established  with  an  entry  specifying  the  name  of  each  user  and  its 
corresponding  symmetric-key  certificate.  To  construct  message  (1),  A retrieves  B’s  symm- 
etric-key certificate  and  includes  this  along  with  its  own.  T carries  out  the  translation  as 
before,  retrieving  K \t  and  Kbt  from  these  certificates,  but  now  also  verifies  that  A’s  in- 
tended recipient  B as  specified  in  E Ka  i (. B,M ) matches  the  identifier  in  the  supplied  cer- 
tificate SCertg- 

13.14  Remark  (public-key  functionality  via  symmetric  techniques)  The  trusted  third  party  func- 
tionality required  when  using  symmetric-key  certificates  may  be  provided  by  per-user 
tamper-resistant  hardware  units  keyed  with  a common  (user-inaccessible)  master  key 
Kt-  The  trusted  hardware  unit  Ha  of  each  user  A generates  a symmetric-key  certificate 
SCertA  = Ekt(Kat , A),  which  is  made  available  to  B when  required.  Hg  decrypts 
the  certificate  to  recover  Kat  (inaccessible  to  B)  and  the  identity  A (accessible  to  B).  By 
design,  H g is  constrained  to  use  other  users’  keys  Kat  — Ka  solely  for  verification  func- 
tions (e.g.,  MAC  verification,  message  decryption).  K \ then  functions  as  ,4’s  public  key 
(cf.  Example  13.36),  allowing  data  origin  authentication  with  non-repudiation;  an  adju- 
dicator may  resolve  disputes  given  a hardware  unit  containing  Kg,  a disputed  (message, 
signature)  pair,  and  the  authentic  value  S Cert  a from  H\. 

13.15  Remark  ( symmetric-key  vs.  public-key  certificates ) Symmetric-key  certificates  differ 
from  public-key  certificates  as  follows:  they  are  symmetric-key  encrypted  under  T’s  mas- 
ter key  (vs.  signed  using  T’s  private  key);  the  symmetric  key  within  may  be  extracted  only 
by  T (vs.  many  parties  being  able  to  verify  a public-key  certificate);  and  T is  required  to  be 
on-line  for  key  translation  (vs.  an  off-line  certification  authority).  In  both  cases,  certificates 
may  be  stored  in  a public  directory. 


13.4  Techniques  for  distributing  public  keys 

Protocols  involving  public-key  cryptography  are  typically  described  assuming  a priori  pos- 
session of  (authentic)  public  keys  of  appropriate  parties.  This  allows  full  generality  among 
various  options  for  acquiring  such  keys.  Alternatives  for  distributing  explicit  public  keys 
with  guaranteed  or  verifiable  authenticity,  including  public  exponentials  for  Diffie-Hellman 
key  agreement  (or  more  generally,  public  parameters),  include  the  following. 

1.  Point-to-point  delivery  over  a trusted  channel.  Authentic  public  keys  of  other  users 
are  obtained  directly  from  the  associated  user  by  personal  exchange,  or  over  a di- 
rect channel,  originating  at  that  user,  and  which  (procedurally)  guarantees  integrity 
and  authenticity  (e.g.,  a trusted  courier  or  registered  mail).  This  method  is  suitable  if 
used  infrequently  (e.g.,  one-time  user  registration),  or  in  small  closed  systems.  A re- 
lated method  is  to  exchange  public  keys  and  associated  information  over  an  untrusted 
electronic  channel,  and  provide  authentication  of  this  information  by  communicating 
a hash  thereof  (using  a collision-resistant  hash  function)  via  an  independent,  lower- 
bandwidth  authentic  channel,  such  as  a registered  mail. 
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Drawbacks  of  this  method  include:  inconvenience  (elapsed  time);  the  requirement  of 
non-automated  key  acquisition  prior  to  secured  communications  with  each  new  party 
(chronological  timing);  and  the  cost  of  the  trusted  channel. 

2.  Direct  access  to  a trusted  public  file  (public-key  registry ).  A public  database,  the  in- 
tegrity of  which  is  trusted,  may  be  set  up  to  contain  the  name  and  authentic  public 
key  of  each  system  user.  This  may  be  implemented  as  a public-key  registry  operated 
by  a trusted  party.  Users  acquire  keys  directly  from  this  registry. 

While  remote  access  to  the  registry  over  unsecured  channels  is  acceptable  against 
passive  adversaries,  a secure  channel  is  required  for  remote  access  in  the  presence  of 
active  adversaries.  One  method  of  authenticating  a public  file  is  by  tree  authentication 
of  public  keys  (§13.4.1). 

3.  Use  of  an  on-line  trusted  server.  An  on-line  trusted  server  provides  access  to  the 
equivalent  of  a public  file  storing  authentic  public  keys,  returning  requested  (individ- 
ual) public  keys  in  signed  transmissions;  confidentiality  is  not  required.  The  request- 
ing party  possesses  a copy  of  the  server’s  signature  verification  public  key,  allowing 
verification  of  the  authenticity  of  such  transmissions. 

Disadvantages  of  this  approach  include:  the  trusted  server  must  be  on-line;  the  trusted 
server  may  become  a bottleneck;  and  communications  links  must  be  established  with 
both  the  intended  communicant  and  the  trusted  server. 

4.  Use  of  an  off-line  sender  and  certificates.  In  a one-time  process,  each  party  A contacts 
an  off-line  trusted  party  referred  to  as  a certification  authority  (CA),  to  register  its 
public  key  and  obtain  the  CA’s  signature  verification  public  key  (allowing  verification 
of  other  users’  certificates).  The  CA  certifies  A’s  public  key  by  binding  it  to  a string 
identifying  A , thereby  creating  a certificate  (§13.4.2).  Parties  obtain  authentic  public 
keys  by  exchanging  certificates  or  extracting  them  from  a public  directory. 

5.  Use  of  systems  implicitly  guaranteeing  authenticity  of  public  parameters.  In  such 
systems,  including  identity-based  systems  (§13.4.3)  and  those  using  implicitly  cer- 
tified keys  (§13.4.4),  by  algorithmic  design,  modification  of  public  parameters  re- 
sults in  detectable,  non-compromising  failure  of  cryptographic  techniques  (see  Re- 
mark 13.26). 

The  following  subsections  discuss  the  above  techniques  in  greater  detail.  Figure  13.7 
(page  564)  provides  a comparison  of  the  certificate-based  approach,  identity-based  systems, 
and  the  use  of  implicitly-certified  public  keys. 


13.4.1  Authentication  trees 

Authentication  trees  provide  a method  for  making  public  data  available  with  verifiable  au- 
thenticity, by  using  a tree  structure  in  conjunction  with  a suitable  hash  function,  and  authen- 
ticating the  root  value.  Applications  include: 

1 . authentication  of  public  keys  (as  an  alternative  to  public -key  certificates).  An  authen- 
tication tree  created  by  a trusted  third  party,  containing  users’  public  keys,  allows  au- 
thentication of  a large  number  of  such  keys. 

2.  trusted  timestamping  service.  Creation  of  an  authentication  tree  by  a trusted  third 
party,  in  a similar  way,  facilitates  a trusted  timestamping  service  (see  § 13.8.1). 

3.  authentication  of  user  validation  parameters.  Creation  of  a tree  by  a single  user  al- 
lows that  user  to  publish,  with  verifiable  authenticity,  a large  number  of  its  own  public 
validation  parameters,  such  as  required  in  one-time  signature  schemes  (see  §11.6.3). 

To  facilitate  discussion  of  authentication  trees,  binary  trees  are  first  introduced. 
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Binary  trees 

A binary  tree  is  a structure  consisting  of  vertices  and  directed  edges.  The  vertices  are  di- 
vided into  three  types: 

1.  a root  vertex.  The  root  has  two  edges  directed  towards  it,  a left  and  a right  edge. 

2.  internal  vertices.  Each  internal  vertex  has  three  edges  incident  to  it  - an  upper  edge 
directed  away  from  it,  and  left  and  right  edges  directed  towards  it. 

3.  leaves.  Each  leaf  vertex  has  one  edge  incident  to  it,  and  directed  away  from  it. 

The  vertices  incident  with  the  left  and  right  edges  of  an  internal  vertex  (or  the  root)  are  called 
the  children  of  the  internal  vertex.  The  internal  (or  root)  vertex  is  called  the  parent  of  the 
associated  children.  Figure  13.5  illustrates  a binary  tree  with  7 vertices  and  6 edges. 

Edge 


Figure  13.5:  A binary  tree  ( with  4 shaded  leaves  and  3 internal  vertices). 


13.16  Fact  There  is  a unique  directed  path  from  any  non-root  vertex  in  a binary  tree  to  the  root 
vertex. 

Constructing  and  using  authentication  trees 

Consider  a binary  tree  T which  has  t leaves.  Let  h be  a collision-resistant  hash  function.  T 
can  be  used  to  authenticate  t public  values,  Yj,  Y%, . . . , Yj,  by  constructing  an  authentica- 
tion tree  T*  as  follows. 

1.  Label  each  of  the  t leaves  by  a unique  public  value  Y, . 

2.  On  the  edge  directed  away  from  the  leaf  labeled  1),  put  the  label  hlYf). 

3.  If  the  left  and  right  edge  of  an  internal  vertex  are  labeled  hi  and  /12,  respectively,  label 
the  upper  edge  of  the  vertex  h(hi  H/12). 

4.  If  the  edges  directed  toward  the  root  vertex  are  labeled  ui  and  w> , label  the  root  vertex 

h{ui\\u2). 

Once  the  public  values  are  assigned  to  leaves  of  the  binary  tree,  such  a labeling  is  well- 
defined.  Figure  13.6  illustrates  an  authentication  tree  with  4 leaves.  Assuming  some  means 
to  authenticate  the  label  on  the  root  vertex,  an  authentication  tree  provides  a means  to  au- 
thenticate any  of  the  t public  leaf  values  Y,  . as  follows.  For  each  public  value  Y,.  there  is 
a unique  path  (the  authentication  path ) from  Y,  to  the  root.  Each  edge  on  the  path  is  a left 
or  right  edge  of  an  internal  vertex  or  the  root.  If  e is  such  an  edge  directed  towards  vertex 
x , record  the  label  on  the  other  edge  ( not  e)  directed  toward  x.  This  sequence  of  labels  (the 
authentication  path  values)  used  in  the  correct  order  provides  the  authentication  of  Yt,  as  il- 
lustrated by  Example  13.17.  Note  that  if  a single  leaf  value  (e.g.,  Y1)  is  altered,  maliciously 
or  otherwise,  then  authentication  of  that  value  will  fail. 
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Figure  13.6:  An  authentication  tree. 


13.17  Example  ( key  verification  using  authentication  trees)  Refer  to  Figure  13.6.  The  public 

value  Yi  can  be  authenticated  by  providing  the  sequence  of  labels  h(  Yf),  ft  (P3),  h(Yf).  The 
authentication  proceeds  as  follows:  compute  h (Yi);  next  compute  hi  = h(h{Yi))\\h{Y2))\ 
then  compute  h 2 = h(hi\\h(Ys)):  finally,  accept  Y\  as  authentic  if  h(h2\\h(Yfi))  = R, 
where  the  root  value  R is  known  to  be  authentic.  □ 

The  advantage  of  authentication  trees  is  evident  by  considering  the  storage  required  to 
allow  authentication  of  t public  values  using  the  following  (very  simple)  alternate  approach: 
an  entity  A authenticates  t public  values  Yi , Y>. . . . . Yt  by  registering  each  with  a trusted 
third  party.  This  approach  requires  registration  of  t public  values,  which  may  raise  storage 
issues  at  the  third  party  when  t is  large.  In  contrast,  an  authentication  tree  requires  only  a 
single  value  be  registered  with  the  third  party. 

If  a public  key  Y,  of  an  entity  A is  the  value  corresponding  to  a leaf  in  an  authentication 
tree,  and  A wishes  to  provide  B with  information  allowing  B to  verify  the  authenticity  of 
Yi,  then  A must  (store  and)  provide  to  B both  Y,  and  all  hash  values  associated  with  the 
authentication  path  from  Y,  to  the  root;  in  addition,  B must  have  prior  knowledge  and  trust 
in  the  authenticity  of  the  root  value  R.  These  values  collectively  guarantee  authenticity, 
analogous  to  the  signature  on  a public-key  certificate.  The  number  of  values  each  party  must 
store  (and  provide  to  others  to  allow  verification  of  its  public  key)  is  lg(f),  as  per  Fact  13.19. 

13.18  Fact  ( depth  of  a binary  tree ) Consider  the  length  of  (or  number  of  edges  in)  the  path  from 
each  leaf  to  the  root  in  a binary  tree.  The  length  of  the  longest  such  path  is  minimized  when 
the  tree  is  balanced,  i.e.,  when  the  tree  is  constructed  such  that  all  such  paths  differ  in  length 
by  at  most  one.  The  length  of  the  path  from  a leaf  to  the  root  in  a balanced  binary  tree 
containing  t leaves  is  about  lg(i). 

13.19  Fact  ( length  of  authentication  paths ) Using  a balanced  binary  tree  (Fact  13.18)  as  an  au- 
thentication tree  with  t public  values  as  leaves,  authenticating  a public  value  therein  may 
be  achieved  by  hashing  lg(f)  values  along  the  path  to  the  root. 

13.20  Remark  ( time-space  tradeoff)  Authentication  trees  require  only  a single  value  (the  root 
value)  in  a tree  be  registered  as  authentic,  but  verification  of  the  authenticity  of  any  particu- 
lar leaf  value  requires  access  to  and  hashing  of  all  values  along  the  authentication  path  from 
leaf  to  root. 

1 3.21  Remark  ( changing  leaf  values)  To  change  a public  (leaf)  value  or  add  more  values  to  an 
authentication  tree  requires  recomputation  of  the  label  on  the  root  vertex.  For  large  balanced 
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trees,  this  may  involve  a substantial  computation.  In  all  cases,  re-establishing  trust  of  all 
users  in  this  new  root  value  (i.e.,  its  authenticity)  is  necessary. 

The  computational  cost  involved  in  adding  more  values  to  a tree  (Remark  13.21)  may 
motivate  constructing  the  new  tree  as  an  unbalanced  tree  with  the  new  leaf  value  (or  a sub- 
tree of  such  values)  being  the  right  child  of  the  root,  and  the  old  tree,  the  left.  Another 
motivation  for  allowing  unbalanced  trees  arises  when  some  leaf  values  are  referenced  far 
more  frequently  than  others. 


13.4.2  Public-key  certificates 

Public-key  certificates  are  a vehicle  by  which  public  keys  may  be  stored,  distributed  or  for- 
warded over  unsecured  media  without  danger  of  undetectable  manipulation.  The  objective 
is  to  make  one  entity’s  public  key  available  to  others  such  that  its  authenticity  (i.e.,  its  status 
as  the  true  public  key  of  that  entity)  and  validity  are  verifiable.  In  practice,  X.509  certifi- 
cates are  commonly  used  (see  page  587).  Further  details  regarding  public-key  certificates 
follow. 

1 3.22  Definition  A public-key  certificate  is  a data  structure  consisting  of  a data  part  and  a sig- 
nature part.  The  data  part  contains  cleartext  data  including,  as  a minimum,  a public  key 
and  a string  identifying  the  party  ( subject  entity)  to  be  associated  therewith.  The  signature 
part  consists  of  the  digital  signature  of  a certification  authority  over  the  data  part,  thereby 
binding  the  subject  entity’s  identity  to  the  specified  public  key. 

The  Certification  Authority  (CA)  is  a trusted  third  party  whose  signature  on  the  cer- 
tificate vouches  for  the  authenticity  of  the  public  key  bound  to  the  subject  entity.  The  sig- 
nificance of  this  binding  (e.g.,  what  the  key  may  be  used  for)  must  be  provided  by  addi- 
tional means,  such  as  an  attribute  certificate  or  policy  statement.  Within  the  certificate,  the 
string  which  identifies  the  subject  entity  must  be  a unique  name  within  the  system  ( distin- 
guished name),  which  the  CA  typically  associates  with  a real-world  entity.  The  CA  requires 
its  own  signature  key  pair,  the  authentic  public  key  of  which  is  made  available  to  each  party 
upon  registering  as  an  authorized  system  user.  This  CA  public  key  allows  any  system  user, 
through  certificate  acquisition  and  verification,  to  transitively  acquire  tmst  in  the  authentic- 
ity of  the  public  key  in  any  certificate  signed  by  that  CA. 

Certificates  are  a means  for  transferring  tmst,  as  opposed  to  establishing  trust  origi- 
nally. The  authenticity  of  the  C A’s  public  key  may  be  originally  provided  by  non-cryptogra- 
phic  means  including  personal  acquisition,  or  through  tmsted  couriers;  authenticity  is  re- 
quired, but  not  secrecy. 

Examples  of  additional  information  which  the  certificate  data  part  might  contain  in- 
clude: 

1 . a validity  period  of  the  public  key; 

2.  a serial  number  or  key  identifier  identifying  the  certificate  or  key; 

3.  additional  information  about  the  subject  entity  (e.g.,  street  or  network  address); 

4.  additional  information  about  the  key  (e.g.,  algorithm  and  intended  use); 

5.  quality  measures  related  to  the  identification  of  the  subject  entity,  the  generation  of 
the  key  pair,  or  other  policy  issues; 

6.  information  facilitating  verification  of  the  signature  (e.g.,  a signature  algorithm  iden- 
tifier, and  issuing  CA’s  name); 

7.  the  status  of  the  public  key  (cf.  revocation  certificates,  §13.6.3). 
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(i)  Creation  of  public-key  certificates 

Before  creating  a public-key  certificate  for  a subject  entity  A , the  certification  authority 
should  take  appropriate  measures  (relative  to  the  security  level  required,  and  customary 
business  practices),  typically  non-cryptographic  in  nature,  to  verify  the  claimed  identity  of 
A and  the  fact  that  the  public  key  to  be  certified  is  actually  that  of  A.  Two  cases  may  be 
distinguished. 

Case  1:  trusted  party  creates  key  pair.  The  trusted  party  creates  a public-key  pair,  as- 
signs it  to  a specific  entity,  and  includes  the  public  key  and  the  identity  of  that  entity  in  the 
certificate.  The  entity  obtains  a copy  of  the  corresponding  private  key  over  a secure  (au- 
thentic and  private)  channel  after  proving  its  identity  (e.g.,  by  showing  a passport  or  trusted 
photo-id,  in  person).  All  parties  subsequently  using  this  certificate  essentially  delegate  trust 
to  this  prior  verification  of  identity  by  the  trusted  party. 

Case  2:  entity  creates  own  key  pair.  The  entity  creates  its  own  public-key  pair,  and  se- 
curely transfers  the  public  key  to  the  trusted  party  in  a manner  which  preserves  authenticity 
(e.g.,  over  a trusted  channel,  or  in  person).  Upon  verification  of  the  authenticity  (source)  of 
the  public  key,  the  trusted  party  creates  the  public-key  certificate  as  above. 

13.23  Remark  (proof  of  knowledge  of  private  key)  In  Case  2 above,  the  certification  authority 
should  require  proof  of  knowledge  of  the  corresponding  private  key,  to  preclude  (among 
other  possible  attacks)  an  otherwise  legitimate  party  from  obtaining,  for  malicious  purposes, 
a public-key  certificate  binding  its  name  to  the  public  key  of  another  party.  For  the  case  of 
signature  public  keys,  this  might  be  done  by  the  party  providing  its  own  signature  on  a sub- 
set of  the  data  part  of  the  certificate;  or  by  responding  to  a challenge  rq  randomized  by  the 
party  itself  e.g.,  signing  h (rj  U^)  for  an  appropriate  hash  function  h and  a random  number 
7*2  chosen  by  the  signer. 

(ii)  Use  and  verification  of  public-key  certificates 

The  overall  process  whereby  a party  B uses  a public -key  certificate  to  obtain  the  authentic 
public  key  of  a party  A may  be  summarized  as  follows: 

1.  (One-time)  acquire  the  authentic  public  key  of  the  certification  authority. 

2.  Obtain  an  identifying  string  which  uniquely  identifies  the  intended  party  A. 

3.  Acquire  over  some  unsecured  channel  (e.g.  from  a central  public  database  of  certifi- 
cates, or  from  A directly),  a public-key  certificate  corresponding  to  subject  entity  A 
and  agreeing  with  the  previous  identifying  string. 

4.  (a)  Verify  the  current  date  and  time  against  the  validity  period  ( if  any)  in  the  cer- 

tificate, relying  on  a local  trusted  time/day-clock; 

(b)  Verify  the  current  validity  of  the  CA’s  public  key  itself; 

(c)  Verify  the  signature  on  A’s  certificate,  using  the  CA’s  public  key; 

(d)  Verify  that  the  certificate  has  not  been  revoked  (§13.6.3). 

5.  If  all  checks  succeed,  accept  the  public  key  in  the  certificate  as  A’s  authentic  key. 

1 3.24  Remark  (life  cycle  reasons  for  single-key  certificates)  Due  to  differing  life  cycle  require- 
ments for  different  types  of  keys  (e.g.,  differing  cryptoperiods,  backup,  archival,  and  other 
lifetime  protection  requirements  - see  §13.7),  separate  certificates  are  recommended  for 
separate  keys,  as  opposed  to  including  several  keys  in  a single  certificate.  See  also  Re- 
mark 13.32. 
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(iii)  Attribute  certificates 

Public-key  certificates  bind  a public  key  and  an  identity,  and  include  additional  data  fields 
necessary  to  clarify  this  binding,  but  are  not  intended  for  certifying  additional  information. 
Attribute  certificates  are  similar  to  public -key  certificates,  but  specifically  intended  to  allow 
specification  of  information  ( attributes ) other  than  public  keys  (but  related  to  a CA,  entity, 
or  public  key),  such  that  it  may  also  be  conveyed  in  a trusted  ( verifiable)  manner.  Attribute 
certificates  may  be  associated  with  a specific  public  key  by  binding  the  attribute  informa- 
tion to  the  key  by  the  method  by  which  the  key  is  identified,  e.g.,  by  the  serial  number  of  a 
corresponding  public-key  certificate,  or  to  a hash-value  of  the  public  key  or  certificate. 

Attribute  certificates  may  be  signed  by  an  attribute  certification  authority , created  in 
conjunction  with  an  attribute  registration  authority,  and  distributed  in  conjunction  with  an 
attribute  directory  sendee  (cf.  Figure  13.3).  More  generally,  any  party  with  a signature  key 
and  appropriate  recognizable  authority  may  create  an  attribute  certificate.  One  application 
is  to  certify  authorization  information  related  to  a public  key.  More  specifically,  this  may 
be  used,  for  example,  to  limit  liability  resulting  from  a digital  signature,  or  to  constrain  the 
use  of  a public  key  (e.g.,  to  transactions  of  limited  values,  certain  types,  or  during  certain 
hours). 


13.4.3  Identity-based  systems 

Identity-based  systems  resemble  ordinary  public-key  systems,  involving  a private  transfor- 
mation and  a public  transformation,  but  users  do  not  have  explicit  public  keys  as  before.  In- 
stead, the  public  key  is  effectively  replaced  by  (or  constructed  from)  a user’s  publicly  avail- 
able identity  information  (e.g. , name  and  network  or  street  address).  Any  publicly  available 
information  which  uniquely  identifies  a user  and  can  be  undeniably  associated  with  the  user, 
may  serve  as  the  identity  information. 

13.25  Definition  An  identity-based  cryptographic  system  (ID-based  system)  is  an  asymmetric 
system  wherein  an  entity’s  public  identification  information  (unique  name)  plays  the  role 
of  its  public  key,  and  is  used  as  input  by  a trusted  authority  T (along  with  T’s  private  key) 
to  compute  the  entity’s  corresponding  private  key. 

After  computing  it,  T transfers  the  entity’s  private  key  to  the  entity  over  a secure  (au- 
thentic and  private)  channel.  This  private  key  is  computed  from  not  only  the  entity’s  identity 
information,  but  must  also  be  a function  of  some  privileged  information  known  only  to  T 
(T’s  private  key).  This  is  necessary  to  prevent  forgery  and  impersonation  - it  is  essential 
that  only  T be  able  to  create  valid  private  keys  corresponding  to  given  identification  in- 
formation. Corresponding  (authentic)  publicly  available  system  data  must  be  incorporated 
in  the  cryptographic  transformations  of  the  ID-based  system,  analogous  to  the  certification 
authority’s  public  key  in  certificate-based  systems.  Figure  13.7(b)  on  page  564  illustrates 
the  design  of  an  identity-based  system.  In  some  cases,  additional  system-defined  public 
data  Da  must  be  associated  with  each  user  A in  addition  to  its  a priori  identity  ID  a (see 
Remark  13.27);  such  systems  are  no  longer  “purely”  identity-based,  although  neither  the 
authenticity  of  Da  nor  ID  a need  be  explicitly  verified. 

1 3.26  Remark  ( authenticity  in  ID-based  systems)  ID-based  systems  differ  from  public-key  sys- 
tems in  that  the  authenticity  of  user-specific  public  data  is  not  (and  need  not  be)  explicitly 
verified,  as  is  necessary  for  user  public  keys  in  certificate-based  systems.  The  inherent  re- 
dundancy of  user  public  data  in  ID-based  systems  (derived  through  the  dependence  of  the 
corresponding  private  key  thereon),  together  with  the  use  of  authentic  public  system  data. 
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implicitly  protects  against  forgery;  if  incorrect  user  public  data  is  used,  the  cryptographic 
transformations  simply  fail.  More  specifically:  signature  verification  fails,  entity  authenti- 
cation fails,  public-key  encryption  results  in  undecipherable  text,  and  key-agreement  results 
in  parties  establishing  different  keys,  respectively,  for  (properly  constructed)  identity-based 
signature,  authentication,  encryption,  and  key  establishment  mechanisms. 

The  motivation  behind  ID-based  systems  is  to  create  a cryptographic  system  modeling 
an  ideal  mail  system  wherein  knowledge  of  a person’s  name  alone  suffices  to  allow  mail  to 
be  sent  which  that  person  alone  can  read,  and  to  allow  verification  of  signatures  that  person 
alone  could  have  produced.  In  such  an  ideal  cryptographic  system: 

1 . users  need  exchange  neither  symmetric  keys  nor  public  keys; 

2.  public  directories  (files  of  public  keys  or  certificates)  need  not  be  kept;  and 

3.  the  services  of  a trusted  authority  are  needed  solely  during  a set-up  phase  (during 
which  users  acquire  authentic  public  system  parameters,  to  be  maintained). 

13.27  Remark  ( ideal  vs.  actual  ID-based  systems)  A drawback  in  many  concrete  proposals  of 
ID-based  systems  is  that  the  required  user-specific  identity  data  includes  additional  data  (an 
integer  or  public  data  value),  denoted  Da  in  Figure  13.7(b),  beyond  an  a priori  identity 
ID  a-  For  example,  see  Note  10.29(h)  on  Feige-Fiat-Shamir  identification.  Ideally,  D \ is 
not  required,  as  a primary  motivation  for  identity-based  schemes  is  to  eliminate  the  need 
to  transmit  public  keys,  to  allow  truly  non-interactive  protocols  with  identity  information 
itself  sufficing  as  an  authentic  public  key.  The  issue  is  less  significant  in  signature  and  iden- 
tification schemes  where  the  public  key  of  a claimant  is  not  required  until  receiving  a mes- 
sage from  that  claimant  (in  this  case  Da  is  easily  provided);  but  in  this  case,  the  advantage 
of  identity-based  schemes  diminishes.  It  is  more  critical  in  key  agreement  and  public-key 
encryption  applications  where  another  party’s  public  key  is  needed  at  the  outset.  See  also 
Remark  13.31. 

13.28  Example  ( ID-based  system  implemented  using  chipcards ) A simplified  ID-based  system 

based  on  chipcards  may  be  run  as  follows.  A third  party  T,  acting  as  a trusted  key  genera- 
tion system,  is  responsible  solely  for  providing  each  user  a chipcard  during  a set-up  phase, 
containing  that  party’s  ID-based  private  key,  after  carrying  out  a thorough  identity  check. 
If  no  further  users  need  be  added,  T may  publish  the  public  system  data  and  cease  to  exist. 
Users  are  responsible  for  not  disclosing  their  private  keys  or  losing  their  cards.  □ 


13.4.4  Implicitly-certified  public  keys 

Another  variation  of  public-key  systems  is  asymmetric  systems  with  implicitly-certified 
public  keys.  Here  explicit  user  public  keys  exist  (see  Figure  13.7(c)),  but  they  must  be  re- 
constructed rather  than  transported  by  public-key  certificates  as  per  certificate-based  sys- 
tems. For  other  advantages,  see  Remark  13.30.  Examples  of  specific  such  mechanisms  are 
given  in  §12.6.2.  Systems  with  implicitly-certified  public  keys  are  designed  such  that: 

1 . Entities’  public  keys  may  be  reconstructed  (by  other  parties)  from  public  data  (which 
essentially  replace  a certificate). 

2.  The  public  data  from  which  a public  key  is  reconstructed  includes: 

(a)  public  (i.e.,  system)  data  associated  with  a trusted  party  T ; 

(b)  the  user  entity’s  identity  (or  identifying  information,  e.g.,  name  and  address); 

(c)  additional  per-user  public  data  ( reconstruction  public  data). 
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3.  The  integrity  of  a reconstructed  public  key  is  not  directly  verifiable,  but  a “correct” 
public  key  can  be  recovered  only  from  authentic  user  public  data. 

Regarding  authenticity  of  reconstructed  public  keys,  the  system  design  must  guarantee: 

1.  Alteration  of  either  a user’s  identity  or  reconstruction  public  data  results  in  recov- 
ery of  a corrupted  public  key,  which  causes  denial  of  service  but  not  cryptographic 
exposure  (as  per  Remark  13.26). 

2.  It  is  computationally  infeasible  for  an  adversary  (without  knowledge  of  T’s  private 
data)  to  compute  a private  key  corresponding  to  any  party’s  public  key,  or  to  construct 
a matching  user  identity  and  reconstruction  public  data  for  which  a corresponding 
private  key  may  also  be  computed.  Reconstructed  public  keys  are  thus  implicitly  au- 
thenticated by  construction. 

1 3.29  Remark  ( applications  of  implicitly-certified  keys)  Implicitly-certified  public  keys  may  be 
used  as  an  alternate  means  for  distributing  public  keys  (e.g.,  Diffie-Hellman  keys  - see 
§ 12.6.3)  in  various  key  agreement  protocols,  or  in  conjunction  with  identification  protocols, 
digital  signature  schemes,  and  public-key  encryption  schemes. 

Classes  of  implicitly-certified  public  keys 

Two  classes  of  implicitly-certified  public  keys  may  be  distinguished: 

1.  identity-based  public  keys  (Class  1).  The  private  key  of  each  entity  A is  computed 
by  a trusted  party  T,  based  on  A’s  identifying  information  and  T’s  private  key;  it  is 
also  a function  of  A’s  user-specific  reconstruction  public  data,  which  is  fixed  a priori 
by  T.  -4’s  private  key  is  then  securely  transferred  by  T to  A.  An  example  is  Mecha- 
nism 12.59. 

2.  self-certified  public  keys  ( Class  2 ).  Each  entity  A itself  computes  its  private  key  and 
corresponding  public  key.  A’s  reconstruction  public  data  (rather  than  A’s  private  key, 
as  in  Class  1)  is  computed  by  T as  a function  of  the  public  key  (transferred  to  Tby  A), 
A’s  identifying  information,  and  T’s  private  key.  An  example  is  Mechanism  12.61. 

Class  1 requires  more  trust  in  the  third  party,  which  therein  has  access  to  users’  private 
keys.  This  differs  from  Class  2,  as  emphasized  by  the  term  “self”  in  “self-certified”,  which 
refers  to  the  knowledge  of  this  key  being  restricted  to  the  entity  itself. 


13.4.5  Comparison  of  techniques  for  distributing  public  keys 

§13.4  began  with  an  overview  of  techniques  for  addressing  authenticity  in  public  key  dis- 
tribution. The  basic  approaches  of  §13.4.2,  §13.4.3,  and  §13.4.4  are  discussed  further  here. 
Figure  13.7  illustrates  corresponding  classes  of  asymmetric  signature  systems,  contrasting 
public-key  systems  (with  explicit  public  keys),  identity-based  systems  (the  public  key  is  a 
user’s  identity  information),  and  systems  with  implicitly-certified  public  keys  (an  explicit 
public  key  is  reconstructed  from  user  public  data).4  The  main  differences  are  as  follows: 

1 . Certificate -based  public-key  systems  have  explicit  public  keys,  while  ID-based  sys- 
tems do  not;  in  implicitly-certified  systems  explicit  public  keys  are  reconstructed. 
The  explicit  public  key  in  public-key  systems  (Figure  13.7(a))  is  replaced  by: 

(a)  the  triplet  (Da,  ID  a,  Pt)  for  identity-based  systems  (Figure  13.7(b)).  ID  a is 
an  identifying  string  for  A , D\  is  additional  public  data  (defined  by  T and  re- 
lated to  ID  a and  A’s  private  key),  and  Pt  consists  of  the  trusted  public  key  (or 
system  parameters)  of  a trusted  authority  T. 

4While  the  figure  focuses  (for  concreteness)  on  signature  systems,  concepts  carry  over  analogously  for  asym- 
metric entity  authentication,  key  establishment,  and  encryption  systems. 
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(a)  Public  key  system  (explicit  public  keys) 


Party  A Party  B 


(b)  Identity-based  system 

St,  Pt  are  T’s  private,  public  keys;  Da  is  A’s  public  data 


Party  A Party  B 


Figure  13.7:  Key  management  in  different  classes  of  asymmetric  signature  systems. 
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(c)  System  with  implicitly-certified  public  keys 


Party  A Party  B 


(i)  identity-based  public  keys  (ii)  self-certified  public  keys 


Figure  13.7:  (cont’d)  Key  management  in  different  classes  of  asymmetric  signature  systems. 
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(b)  the  triplet  ( Ra  , ID  a,  Pt)  for  systems  with  implicitly-certified  public  keys  (Fig- 
ure 13.7(c)).  In  this  case,  an  explicit  public  key  Pa  is  reconstructed  from  these 
parameters.  The  reconstruction  public  data  Ra  plays  a role  analogous  to  the 
public  data  Da  in  Figure  13.7(b). 

2.  The  authenticity  of  public  keys  can  (and  must)  be  explicitly  verified  in  certificate- 
based  systems,  but  not  (and  need  not)  in  ID-based  or  implicitly-certified  systems. 

3.  The  trusted  authority  need  not  know  users’  private  keys  in  certificate-based  public- 
key  systems  or  implicitly-certified  systems  with  self-certified  public  keys;  but  does 
in  ID-based  systems,  and  in  implicitly-certified  systems  with  ID-based  keys. 

4.  Similar  to  identity-based  systems  (§13.4.3),  implicitly-certified  public  keys  (of  both 
classes)  depend  on  an  entity’s  identifying  information,  and  in  this  sense  are  also 
“identity-based”.  However,  ID-based  systems  avoid  explicit  public  keys  entirely  (a 
user’s  identity  data  is  essentially  its  public  key),  while  implicitly-certified  public  keys 
are  not  restricted  to  user  identities  and  may  be  explicitly  computed  (and  thus  more 
easily  used  in  conjunction  with  ordinary  public-key  schemes). 

5.  The  two  classes  of  implicitly-certified  public  keys  (Figure  13.7(c))  differ  in  their  re- 
lationship between  users’  reconstruction  public  data  and  private  keys  as  follows. 

(a)  Class  1:  a user’s  private  key  is  computed  as  a function  of  the  reconstruction 
data,  and  this  private  key  is  computed  by  the  trusted  authority; 

(b)  Class  2:  the  reconstruction  data  is  computed  as  a function  of  the  user’s  public 
key,  and  the  corresponding  private  key  is  computed  by  the  party  itself. 

6.  In  all  three  approaches,  at  some  stage  a third  party  which  is  trusted  to  some  level  (cf. 
Note  1 3 .7)  is  required  to  provide  a link  transferring  trust  between  users  who  may  have 
never  met  each  other  and  may  share  nothing  in  common  other  than  authentic  system 
parameters  (and  possibly  knowledge  of  other  users’  identities). 

1 3.30  Remark  (implicitly-certified public  keys  vs.  public-key  certificates ) Advantages  of  implic- 
itly-certified public  keys  over  public-key  certificates  include:  possibly  reduced  space  re- 
quirements (signed  certificates  require  storage  for  signatures);  possible  computational  sav- 
ings (signature  verification,  as  required  for  certificates,  is  avoided);  and  possible  communi- 
cations savings  (e.g.  if  identity-based  and  the  identity  is  known  a priori).  Countering  these 
points,  computation  is  actually  required  to  reconstruct  a public  key;  and  additional  recon- 
struction public  data  is  typically  required. 

1 3.31  Remark  ( key  revocation  in  ID-based  systems ) Revocation  of  public  keys  may  be  address- 
ed in  ID-based  schemes  and  systems  using  implicitly-certified  public  keys  by  incorporating 
information  such  as  a key  validity  period  or  serial  number  into  the  identification  string  used 
to  compute  an  entity’s  public  key  (cf.  Remark  13.27).  The  revocation  issue  is  then  analo- 
gous to  that  for  public-key  certificates.  Additional  information,  e.g.,  pertaining  to  key  usage 
or  an  associated  security  policy,  may  similarly  be  incorporated. 
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13.5  Techniques  for  controlling  key  usage 

This  section  considers  techniques  for  restricting  keys  to  pre-authorized  uses. 


13.5.1  Key  separation  and  constraints  on  key  usage 

Information  that  may  be  associated  with  cryptographic  keys  includes  both  attributes  which 
restrict  their  use,  and  other  information  of  operational  use.  These  include: 

1 . owner  of  key 

2.  validity  period  (intended  cryptoperiod) 

3.  key  identifier  ( allowing  non-cryptographic  reference  to  the  key) 

4.  intended  use  (see  Table  13.2  for  a coarse  selection) 

5.  specific  algorithm 

6.  system  or  environment  of  intended  use,  or  authorized  users  of  key 

7.  names  of  entities  associated  with  key  generation,  registration,  and  certification 

8.  integrity  checksum  on  key  (usually  part  of  authenticity  requirement) 

Key  separation  and  the  threat  of  key  misuse 

In  simple  key  management  systems,  information  associated  with  keys,  including  authorized 
uses,  are  inferred  by  context.  For  additional  clarity  or  control,  information  explicitly  spec- 
ifying allowed  uses  may  accompany  distributed  keys  and  be  enforced  by  verification,  at 
the  time  of  use,  that  the  attempted  uses  are  authorized.  If  control  information  is  subject  to 
manipulation,  it  should  be  bound  to  the  key  by  a method  which  guarantees  integrity  and  au- 
thenticity, e.g.,  through  signatures  (cf.  public-key  certificates)  or  an  encryption  technique 
providing  data  integrity. 

The  principle  of  key  separation  is  that  keys  for  different  purposes  should  be  crypto- 
graphically separated  (see  Remark  13.32).  The  threat  of  key  misuse  may  be  addressed  by 
techniques  which  ensure  that  keys  are  used  only  for  those  purposes  pre-authorized  at  the 
time  of  key  creation.  Restrictions  on  key  usage  may  be  enforced  by  procedural  techniques, 
physical  protection  (tamper-resistant  hardware),  or  cryptographic  techniques  as  discussed 
below. 

Discussion  of  other  methods  in  §13.5.2  includes  key  tags,  which  allow  key  separation 
with  explicitly-defined  uses;  key  variants,  which  separate  keys  without  explicitly  defining 
authorized  uses;  and  key  notarization  and  control  vectors,  which  bind  control  information 
into  the  process  by  which  keys  are  derived. 

13.32  Remark  ( cryptographic  reasons  for  key  separation ) A principle  of  sound  cryptographic 
design  is  to  avoid  use  of  the  same  cryptographic  key  for  multiple  purposes.  A key-encrypt- 
ing key  should  not  be  used  interchangeably  as  a data  encryption  key,  since  decrypted  keys 
are  not  generally  made  available  to  application  programs,  whereas  decrypted  data  is.  Dis- 
tinct asymmetric  encryption  and  signature  keys  are  also  generally  used,  due  to  both  dif- 
fering life  cycle  requirements  and  cryptographic  prudence.  Flaws  also  potentially  arise  if: 
asymmetric  keys  are  used  for  both  signatures  and  challenge-response  entity  authentication 
(Remark  10.40);  keys  are  used  for  both  encryption  and  challenge-response  entity  authen- 
tication (chosen-text  attacks);  symmetric  keys  are  used  for  both  encryption  and  message 
authentication  (Example  9.88).  See  also  Remark  13.24. 
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13.5.2  Techniques  for  controlling  use  of  symmetric  keys 

The  main  technique  discussed  below  is  the  use  of  control  vectors.  For  historical  context, 
key  tags/key  variants  and  key  notarization  are  also  discussed. 

(i)  Key  tags  and  key  variants 

Key  tags  provide  a simplified  method  for  specifying  allowed  uses  of  keys  (e.g.,  data-encryp- 
ting  vs.  key-encrypting  keys).  A key  tag  is  a bit-vector  or  structured  field  which  accompa- 
nies and  remains  associated  with  a key  over  its  lifetime.  The  tag  bits  are  encrypted  jointly 
with  the  key  and  thereby  bound  to  it,  appearing  in  plaintext  form  only  when  the  key  is  de- 
crypted. If  the  combination  of  tag  bits  and  key  are  sufficiently  short  to  allow  encryption  in 
a single  block  operation  (e.g.,  a 56-bit  key  with  an  8-bit  tag  for  a 64-bit  block  cipher),  then 
the  inherent  integrity  provided  by  encryption  precludes  meaningful  manipulation  of  the  tag. 

A naive  method  for  providing  key  separation  is  to  derive  separate  keys  from  a single 
base  key  (or  derivation  key)  using  additional  non-secret  parameters  and  a non-secret  func- 
tion. The  resulting  keys  are  called  key  variants  or  derived  keys. 

One  technique  for  varying  keys  is  key  offsetting , whereby  a key-encrypting  key  K is 
modified  on  a per-use  basis  by  a counter  N incremented  after  each  use.  This  may  prevent 
replay  of  encrypted  keys.  The  modified  key  K(BN  is  used  to  encrypt  another  (e.g.,  session) 
key.  The  recipient  likewise  modifies  K to  decrypt  the  session  key.  A second  technique, 
complementing  alternate  4-bit  blocks  of  K commencing  with  the  first  4 bits,  is  a special 
case  of  fixed-mask  offsetting  (Example  13.33). 

1 3.33  Example  ( key  variants  using  fixed-mask  offsets)  Suppose  exactly  three  classes  of  keys  are 
desired.  Construct  keys  by  using  variations  K\  and  K->  of  a master  key  K,  with  Ki  = 
iTffiu i,  K->  — K(Bv 2,  and  v\,  v->  nonsecret  mask  values.  Using  K,  K\,  and  K>  to  encrypt 
other  keys  then  allows  key  separation  of  the  latter  into  three  classes.  □ 

If  the  derivation  process  is  invertible,  the  base  key  can  be  recovered  from  the  derived 
key.  Ideally,  the  derivation  technique  is  non-reversible  (one-way),  implying  that  compro- 
mise of  one  derived  key  would  not  compromise  the  base  key  or  other  derived  keys  (cf. 
§13.7.1  on  security  impacts  of  related  keys).  Yet  another  example  of  key  derivation  (see 
§12.3.1)  has  this  property:  compute  K.j  = E x (r, ) where  r,  is  a random  number,  or  replace 
the  encryption  function  E by  a MAC,  or  simply  hash  K and  r,  using  a hash  function  h with 
suitable  properties. 

(ii)  Key  notarization 

Key  notarization  is  a technique  intended  to  prevent  key  substitution  by  requiring  explicit 
specification  of  the  identities  of  parties  involved  in  a keying  relationship.  A key  is  au- 
thenticated with  respect  to  these  identities  (preventing  impersonation)  by  modifying  a key- 
encrypting key  such  that  the  correct  identities  must  be  specified  to  properly  recover  the  pro- 
tected key.  The  key  is  said  to  be  sealed  with  these  identities.  Preventing  key  substitution 
is  a requirement  in  all  (authenticated)  key  establishment  protocols.  Notarization  requires 
proper  control  information  for  accurate  recovery  of  encrypted  keys,  providing  implicit  pro- 
tection analogous  to  implicitly-certified  public  keys  (§13.4.4). 

The  basic  technique  ( simple  key  notarization)  involves  a trusted  server  (notary),  or  one 
of  the  parties  sharing  the  key,  using  a key-encrypting  key  K to  encrypt  a session  key  , S',  in- 
tended for  use  with  the  originating  party  i and  the  recipient  j,  as:  E/c/Wf,;  ^ (S).  Here  i and 
j are  assumed  to  identify  unique  entities  in  the  given  system.  The  party  intending  to  recover 
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S from  this  must  share  K and  explicitly  specify  i and  j in  the  correct  order,  otherwise  a ran- 
dom key  will  be  recovered.  The  analogy  to  a notary  originated  from  the  assumption  that  the 
third  party  properly  authenticates  the  identities  of  the  intended  parties,  and  then  provides  a 
session  key  which  may  only  be  recovered  by  these  parties.  A more  involved  process,  key 
notarization  with  offsetting,  is  given  in  Example  13.34 

13.34  Example  (key  notarization  with  offsetting)  Let  E be  a block  cipher  operating  on  64-bit 

blocks  with  64-bit  key,  K = Kl \\Kr  be  a 128-bit  key-encrypting  key,  N a 64-bit  counter, 
and  i = ijf\ \ iR,  j = j l \ j it  128-bit  source  and  destination  identifiers.  For  key  notarization 
with  offsetting,  compute:  K\  — EKR®iL(jR)®KL®N , K2  = EKL^jL(iR)®KR®N . 
The  resulting  128-bit  notarized  key  (K\ , K-> ) then  serves  as  a key-encrypting  key  in  two- 
key  triple-encryption.  The  leftmost  terms  fi(KR,  i,j)  and  i,j ) in  the  computation 

of  K i , K>  above  are  called  notary  seals , which,  when  combined  with  Kl  and  KR,  respec- 
tively, result  in  quantities  analogous  to  those  used  in  simple  key  notarization  (i.e.,  functions 
of  K,  i,  j).  For  K a 64-bit  (single-length)  key,  the  process  is  modified  as  follows:  using 
Kl  = Kr  = K,  compute  the  notary  seals /2(A"x,i,j)  as  above,  concatenate 
the  leftmost  32  bits  of  /i  with  the  rightmost  of  /2  to  obtain  /,  then  compute  as 

the  notarized  key.  □ 

(iii)  Control  vectors 

While  key  notarization  may  be  viewed  as  a mechanism  for  establishing  authenticated  keys, 
control  vectors  provide  a method  for  controlling  the  use  of  keys,  by  combining  the  idea  of 
key  tags  with  the  mechanism  of  simple  key  notarization.  Associated  with  each  key  S is  a 
control  vector  C,  which  is  a data  field  (similar  to  a key  tag  ) defining  the  authorized  uses  of 
the  key  (effectively  typing  the  key).  It  is  bound  to  S by  varying  a key-encrypting  key  K 
before  encryption:  EK(^C{S). 

Key  decryption  thus  requires  the  control  vector  be  properly  specified,  as  well  as  the 
correct  key-encrypting  key;  if  the  combined  quantity  K(BC  is  incorrect,  a spurious  key  of 
no  advantage  to  an  adversary  is  recovered.  Cryptographically  binding  the  control  vector  C 
to  S at  the  time  of  key  generation  prevents  unauthorized  manipulation  of  C,  assuming  only 
authorized  parties  have  access  to  the  key-encrypting  key  K. 

Control  vectors  may  encompass  key  notarization  by  using  one  or  more  fields  in  C to 
specify  identities.  In  relation  to  standard  models  for  access  control  (Note  13.35),  a control 
vector  may  be  used  to  specify  a subject’s  identity  (Sf)  and  privileges  (Ay)  regarding  the 
use  of  a key  (Kf). 

At  time  of  use  for  a specific  cryptographic  operation,  the  control  vector  is  input  as  well 
as  the  protected  key.  At  this  time,  a check  is  made  that  the  requested  operation  complies 
with  the  control  vector;  if  so,  the  key  is  decrypted  using  the  control  vector.  If  the  control 
vector  does  not  match  that  bound  to  the  protected  key  (or  if  K is  incorrect),  the  recovered 
key  S'  f S will  be  spurious.  Security  here  is  dependent  on  the  assumption  that  checking 
is  inseparable  from  use,  and  done  within  a trusted  subsystem. 

If  the  bitsize  of  the  control  vector  C differs  from  that  of  the  key  K,  a collision-resistant 
hash  function  may  be  used  prior  to  coupling.  This  allows  arbitrary  length  control  vectors. 
Thus  a 128-bit  key  K and  a hash  function  h with  128-bit  output  may  be  used  to  encrypt  S 
as:  Ei<qIi(C-)(S). 

13.35  Note  (models  for  access  control)  Several  methods  are  available  to  control  access  to  re- 
sources. The  access  matrix  model  uses  a 2-dimensional  matrix  A.;x  j with  a row  for  each 
subject  (Sf)  and  a column  for  each  object  (Of),  and  relies  on  proper  identification  of  sub- 
jects Si.  Each  access  record  Ay  specifies  the  privileges  entity  Si  has  on  object  Oj  (e.g.. 
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an  application  program  may  have  read,  write,  modify,  or  execute  privileges  on  a file).  Col- 
umn j may  alternately  serve  as  an  access  list  for  object  Oj,  having  entries  (Si,  Pij ) where 
Pij  = Aitj  specifies  privileges.  Another  method  of  resource  protection  uses  the  idea  of 
capabilities:  a capability  ( O , P)  specifies  an  object  O and  privilege  set  P related  to  O,  and 
functions  as  a ticket  - possession  of  capability  (O,  P)  grants  the  holder  the  specified  priv- 
ileges, without  further  validation  or  ticket-holder  identification. 

13.36  Example  ( sample  uses  of  control  vectors ) Control  vectors  may  be  used  to  provide  a 

public-key  like  functionality  as  follows  (cf.  Remark  13.14).  Two  copies  of  a symmetric  key 
are  distributed,  one  typed  to  allow  encryption  only  (or  MAC  generation),  and  a second  al- 
lowing decryption  only  (or  MAC  verification).  Other  sample  uses  of  control  fields  include: 
allowing  random  number  generation;  allowing  ciphertext  translation  (e.g.,  in  KTCs);  dis- 
tinguishing data  encryption  and  key  encryption  keys;  or  incorporation  of  any  field  within  a 
public -key  certificate.  □ 

13.37  Remark  ( key  verification  and  preventing  replay)  Replay  of  keys  distributed  by  key 
transport  protocols  may  be  countered  by  the  same  techniques  used  to  provide  unique- 
ness/timeliness and  prevent  replay  of  messages  - sequence  numbers,  timestamps,  and 
challenge-response  techniques  (§  10.3. 1).  Before  a key  resulting  from  a key  derivation,  no- 
tarization, or  control  vector  technique  is  actually  used,  verification  of  its  integrity  may  be 
desirable  (cf.  key  confirmation,  §12.2).  This  can  be  achieved  using  standard  techniques  for 
data  integrity  (Figure  9.8).  A simple  method  involves  the  originator  sending  the  encryption 
(under  the  key  in  question)  of  a data  item  which  the  recipient  can  recognize. 


13.6  Key  management  involving  multiple  domains 

This  section  considers  key  management  models  for  systems  involving  multiple  domains  or 
authorities,  as  opposed  to  the  simpler  single-domain  models  of  §13.2.3. 

1 3.38  Definition  A security  domain  (domain)  is  defined  as  a (sub)system  under  the  control  of  a 
single  authority  which  the  entities  therein  trust.  The  security  policy  in  place  over  a domain 
is  defined  either  implicitly  or  explicitly  by  its  authority. 

The  trust  that  each  entity  in  a domain  has  in  its  authority  originates  from,  and  is  main- 
tained through,  an  entity-specific  shared  secret  key  or  password  (in  the  symmetric  case),  or 
possession  of  the  authority’s  authentic  public  key  (in  the  asymmetric  case).  This  allows  se- 
cure communications  channels  (with  guaranteed  authenticity  and/or  confidentiality)  to  be 
established  between  the  entity  and  authority,  or  between  two  entities  in  the  same  domain. 
Security  domains  may  be  organized  (e.g.,  hierarchically)  to  form  larger  domains. 


13.6.1  Trust  between  two  domains 

Two  parties  A and  B , belonging  to  distinct  security  domains  Da  and  Db  with  respective 
trusted  authorities  Ta  and  Tb , may  wish  to  communicate  securely  (or  A may  wish  to  access 
resources  from  a distinct  domain  Db)-  This  can  be  reduced  to  the  requirement  that  A and 
B either: 
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1.  ( share  a symmetric  key)  establish  a shared  secret  key  Kab  which  both  trust  as  being 
known  only  to  the  other  (and  possibly  trusted  authorities);  or 

2.  ( share  trusted  public  keys ) acquire  trust  in  one  or  more  common  public  keys  which 
may  be  used  to  bridge  trust  between  the  domains,  e.g.,  allowing  verification  of  the 
authenticity  of  messages  purportedly  from  the  other,  or  ensure  the  confidentiality  of 
messages  sent  to  the  other. 

Either  of  these  is  possible  provided  Ta  and  Tb  have  an  existing  trust  relationship,  based  on 
either  trusted  public  keys  or  shared  secret  keys. 

If  T \ and  Tb  do  have  an  existing  trust  relationship,  either  requirement  may  be  met  by 
using  this  and  other  initial  pairwise  trust  relationships,  which  allow  secure  communications 
channels  between  the  pairs  (A,  Ta),  (Ta,  Tb),  and  (Tb,  B),  to  be  successively  used  to  es- 
tablish the  objective  trust  relationship  (A  B).  This  may  be  done  by  A and  B essentially 
delegating  to  their  respective  authorities  the  task  of  acquiring  trust  in  an  entity  under  the 
other  authority  (as  detailed  below). 

If  Ta  and  Tb  do  not  share  an  existing  trust  relationship  directly,  a third  authority  Tc, 
in  which  they  both  do  trust,  may  be  used  as  an  intermediary  to  achieve  the  same  end  result. 
This  is  analogous  to  a chain  of  trust  in  the  public-key  case  (§13.6.2).  The  two  numbered 
options  beginning  this  subsection  are  now  discussed  in  further  detail. 


Domain  Da  Domain  DB 


Figure  13.8:  Establishing  trust  between  users  in  distinct  domains. 


1 . trusted  symmetric  key:  Trust  in  a shared  secret  key  may  be  acquired  through  a variety 
of  authenticated  key  establishment  techniques  (see  §12.3  for  detailed  protocols).  An 
outline  of  steps  by  which  parties  A and  B above  may  do  so  follows,  with  reference 
to  Figure  13.8. 

(a)  A makes  a request  to  Ta  to  obtain  a key  to  share  with  B (1). 

(b)  Ta  and  Tb  establish  a short-term  secret  key  Kab  (2). 

(c)  Ta  and  TL>  , respectively,  distribute  Kab  to  A and  B.  guaranteeing  secrecy  and 
authenticity  (3A,  3B). 

(d)  A uses  Kab  for  secure  direct  communications  with  B (4).  Message  (3B)  may 
be  eliminated  if  its  contents  are  relayed  by  Tb  to  A via  T \ as  part  of  the  existing 
messages  (2),  (3A). 

In  this  case,  from  As  viewpoint  the  composition  of  Ta,  Tb  and  the  trust  relationship 
(Ta,Tb)  may  be  seen  as  a single  (composite)  authority,  which  A communicates  with 
through  Ta,  and  which  plays  the  role  of  the  (simple)  authority  in  the  standard  case 
of  a KDC  or  KTC  (see  §13.2.3). 
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2.  trusted  public  key:  Trust  in  a public  key  may  be  acquired,  based  on  existing  trust  re- 
lationships, through  data  origin  authentication  by  standard  techniques  such  as  digital 
signatures  or  message  authentication  codes.  A may  acquire  the  trusted  public  key  of 
party  B described  above  as  follows  (cf.  Figure  13.8). 

(a)  A requests  from  T \ the  trusted  public  key  of  user  B ( 1). 

(b)  Ta  acquires  this  from  Tb , with  guaranteed  authenticity  (2). 

(c)  Ta  transfers  this  public  key  to  A , with  guaranteed  authenticity  (3A). 

( d)  A uses  this  public  key  to  secure  direct  communications  with  B (4). 

13.39  Definition  A cross-certificate  (or  CA-certificate)  is  a certificate  created  by  one  certifica- 
tion authority  (CA),  certifying  the  public  key  of  another  CA. 

1 3.40  Remark  ( user-specific  vs.  domain  cross-trust)  Method  2 above  transfers  to  A trust  specif- 
ically in  the  public  key  of  B:  this  may  be  called  a user-specific  transfer  of  trust.  Alterna- 
tively, a general  transfer  of  trust  between  domains  is  possible  as  follows,  assuming  Tb  has 
created  a certificate  Cb  containing  the  identity  and  public  key  of  B.  In  this  case,  T \ creates 
a cross-certificate  containing  the  identity  and  public  key  of  Tb-  A,  possessing  the  trusted 
signature  verification  key  of  Ta,  may  verify  the  signature  on  this  latter  certificate,  thereby 
acquiring  trust  in  TVs  signature  verification  key,  and  allowing  A to  verify  and  thereby  trust 
B' s public  key  within  C'/j  (or  the  public  key  in  any  other  certificate  signed  by  Tb).  Thus, 
user  A from  domain  Da  (with  authority  Ta)  acquires  trust  in  public  keys  certified  in  Db 
by  TB- 


13.6.2  Trust  models  involving  multiple  certification  authorities 

Many  alternatives  exist  for  organizing  trust  relationships  between  certification  authorities 
(CAs)  in  public-key  systems  involving  multiple  CAs.  These  are  called  trust  models  or  certi- 
fication topologies,  and  are  logically  distinct  from  (although  possibly  coincident  with)  com- 
munications models.  (In  particular,  a communications  link  does  not  imply  a trust  relation- 
ship.) Trust  relationships  between  CAs  determine  how  certificates  issued  by  one  CA  may 
be  utilized  or  verified  by  entities  certified  by  distinct  CAs  (in  other  domains).  Before  dis- 
cussing various  trust  models,  certificate  chains  are  first  introduced. 

(i)  Certificate  chains  and  certification  paths 

Public-key  certificates  provide  a means  for  obtaining  authenticated  public  keys,  provided 
the  verifier  has  a trusted  verification  public  key  of  the  CA  which  signed  the  certificate.  In 
the  case  of  multiple  certification  authorities,  a verifier  may  wish  to  obtain  an  authentic  pub- 
lic key  by  verifying  a certificate  signed  by  a CA  other  than  one  for  which  it  (originally) 
possesses  a trusted  public  key.  In  this  case,  the  verifier  may  still  do  so  provided  a chain  of 
certificates  can  be  constructed  which  corresponds  to  an  unbroken  chain  of  trust  from  the 
CA  public  key  which  the  verifier  does  trust,  to  the  public  key  it  wishes  to  obtain  trust  in. 

Certificate  chains  correspond  to  directed  paths  in  the  graphical  representation  of  a CA 
trust  model  (see  Figure  13.9).  The  goal  is  to  find  a sequence  of  certificates  corresponding 
to  a directed  path  ( certification  path)  starting  at  the  node  corresponding  to  the  CA  whose 
public  key  a verifier  trusts  a priori,  and  ending  at  the  CA  which  has  signed  the  certificate 
of  the  public  key  to  be  verified. 

13.41  Example  (illustration  of  certificate  chain)  Consider  Figure  13.9(e)  on  page  574.  Suppose 
an  entity  A in  possession  of  the  public  key  Ps  of  CAs  wishes  to  verify  the  certificate  of  an 
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entity  B signed  by  CA3,  and  thereby  obtain  trust  in  Pb . A directed  path  (CA5.  CA 4,  CA3 ) 
exists.  Let  CA-j{  CAf\  denote  a certificate  signed  by  CA5  binding  the  name  CA4  to  the 
public  key  P4.  Then  the  certificate  chain  ( Cb4 5 { Cb44 } , G44{6L43}),  along  with  initial 
trust  in  P5,  allows  A to  verify  the  signature  on  CA5  { CA4  } to  extract  a trusted  copy  of  P4, 
use  P4  to  verify  the  signature  on  C'.44{  CA3 } to  extract  a trusted  copy  of  P3,  and  then  use 
P3  to  verify  the  authenticity  of  (the  certificate  containing)  Pjj.  □ 

Given  an  initial  trusted  public  key  and  a certificate  to  be  verified,  if  a certificate  chain 
is  not  provided  to  the  verifier,  a method  is  required  to  find  (build)  the  appropriate  chain 
from  publicly  available  data,  prior  to  actual  cryptographic  chain  verification.  This  non- 
cryptographic task  resembles  that  of  routing  in  standard  communications  networks. 

13.42  Example  ( building  certificate  chains  using  cross-certificate  pairs)  One  search  technique 
for  finding  the  certification  path  given  in  Example  13.41  involves  cross-certificate  pairs. 
In  a public  directory,  in  the  directory  entry  for  each  CA  X,  for  every  CA  Y that  either 
cross-certifies  X or  that  X cross-certifies,  store  the  certificate  pair  (forward,  reverse)  = 
( CAy  { CAxj,  CAx  { CA  y }),  called  a cross-certificate  pair.  Here  notation  is  as  in  Exam- 
ple 13.41,  the  pair  consists  of  the  forward  and  reverse  certificates  of  CAx  (see  page  575), 
and  at  least  one  of  the  two  certificates  is  present.  In  the  absence  of  more  advanced  tech- 
niques or  routing  tables,  any  existent  certification  path  could  be  found  by  depth-first  or 
breadth-first  search  of  the  reverse  certificates  in  cross-certificate  pairs  starting  at  the  CA 
whose  public  key  the  verifier  possesses  initially.  □ 

As  part  of  signature  verification  with  certificate  chains,  verification  of  cross-certificates 
requires  checking  they  themselves  have  not  been  revoked  (see  §13.6.3). 

(ii)  Trust  with  separate  domains 

Figure  13.9  illustrates  a number  of  possible  trust  models  for  certification,  which  are  dis- 
cussed below,  beginning  with  the  case  of  separated  domains. 

Simple  public-key  systems  involve  a single  certification  authority  (CA).  Larger  sys- 
tems involve  two  or  more  CAs.  In  this  case,  a trust  relationship  between  CAs  must  be  spec- 
ified in  order  for  users  under  different  CAs  to  interoperate  cryptographically.  By  default, 
two  distinct  CAs  define  separate  security  domains  as  in  Figure  13.9(a),  with  no  trust  re- 
lationship between  domains.  Users  in  one  domain  are  unable  to  verify  the  authenticity  of 
certificates  originating  in  a separate  domain. 

(iii)  Strict  hierarchical  trust  model 

The  first  solution  to  the  lack  of  cryptographic  interoperability  between  separate  domains  is 
the  idea  of  a strict  hierarchy,  illustrated  by  Figure  13.9(b).  Each  entity  starts  with  the  public 
key  of  the  root  node  - e.g.,  entity  E \ 1 1 is  now  given  CAfi  s public  key  at  registration,  rather 
than  that  of  CA\  as  in  figure  (a).  This  model  is  called  the  rooted  chain  model,  as  all  trust 
chains  begin  at  the  root.  It  is  a centralized  trust  model. 

Several  such  rooted  trees,  each  being  a strict  hierarchy,  may  be  combined  in  a trust 
model  supporting  multiple  rooted  trees  as  in  Figure  13.9(c).  In  this  case,  a cross-certificate 
is  allowed  between  the  roots  of  the  trees,  illustrated  by  a bi-directional  arrow  between  roots. 
The  arrow  directed  from  CAX  to  CA  y denotes  a certificate  for  the  public  key  of  CAy  cre- 
ated by  CAx-  This  allows  users  in  the  tree  under  CAX  to  obtain  trust  in  certificates  under 
CAy  through  certificate  chains  which  start  at  CAX  and  cross  over  to  CAy . 

In  the  strict  hierarchical  model,  all  entities  are  effectively  in  a single  domain  (defined 
by  the  root).  Despite  the  fact  that,  for  example,  CA  \ signs  the  public-key  certificate  of  E^\ 
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(a)  Separate  domains  (b)  Strict  hierarchy 


Figure  13.9:  Trust  models  for  certification. 
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e[ 11  trusts  the  root  ( CA5 ) directly  but  not  CA\.  E J1’  trusts  CA\  only  indirectly  through 
the  root.  Potential  drawbacks  of  this  model  include: 

1 . all  trust  in  the  system  is  dependent  on  the  root  key 

2.  certificate  chains  are  required  even  for  two  entities  under  the  same  CA 

3.  certificate  chains  become  long  in  deep  hierarchies 

4.  a more  natural  model  in  some  organizations  is  for  trust  to  begin  at  a local  node  (the 
parent  CA)  rather  than  a distant  node  (the  root). 

(iv)  Reverse  certificates  and  the  general  digraph  trust  model 

A more  general  hierarchical  model,  a hierarchy  with  reverse  certificates,  is  illustrated  in 
Figure  13.9(d).  This  resembles  the  strict  hierarchy  of  Figure  13.9(b),  but  now  each  CA 
lower  in  the  hierarchy  also  creates  certificates  certifying  the  public  keys  of  its  directly  su- 
perior (parent)  CA.  Two  types  of  certificates  may  then  be  distinguished  in  a hierarchy: 

1.  forward  certificate.  A forward  certificate  (relative  to  CAx)  is  created  by  the  CA  di- 
rectly above  CAx  signing  the  public  key  of  CAx , and  illustrated  in  the  hierarchy  by 
a downward  arrow  towards  CAx- 

2.  reverse  certificate.  A reverse  certificate  (relative  to  CAx ) is  created  by  CAx  signing 
the  public  key  of  its  immediately  superior  CA,  and  illustrated  in  the  hierarchy  by  an 
upward  arrow  originating  from  CAx- 

In  this  model,  each  entity  starts  not  with  the  public  key  of  the  root,  but  rather  with  the  public 
key  of  the  CA  which  created  its  own  certificate,  i.e.,  its  local  CA  (parent).  All  trust  chains 
now  begin  at  an  entity’s  local  CA.  The  shortest  trust  chain  from  any  entity  A to  any  other 
entity  B is  now  the  path  in  the  tree  which  travels  upwards  from  A to  the  least-common- 
ancestor  of  A and  B , and  downwards  from  that  node  on  to  B. 

A drawback  of  the  hierarchical  model  with  reverse  certificates  is  that  long  certificate 
chains  may  arise  between  entities  which  are  under  distinct  CAs  even  if  these  entities  com- 
municate frequently  (e.g.,  consider  entities  under  CA\  and  CA 4 in  Figure  13.9(d).  This  sit- 
uation can  be  ameliorated  by  allowing  CA\  to  cross-certify  CA4  directly,  even  though  this 
edge  is  not  in  the  hierarchy.  This  is  the  most  general  model,  the  directed  graph  (digraph) 
trust  model  as  illustrated  in  Figure  13.9(e).  The  analogy  to  graph  theory  is  as  follows:  CAs 
are  represented  by  nodes  or  vertices  in  a graph,  and  trust  relationships  by  directed  edges. 
(The  complete  graph  on  n vertices,  with  a directed  edge  from  each  vertex  to  every  other, 
corresponds  to  complete  trust,  with  each  CA  cross-certifying  every  other  directly.) 

The  digraph  model  is  a distributed  trust  model.  There  is  no  central  node  or  root,  any 
CA  may  cross-certify  any  other,  and  each  user-entity  begins  with  the  trusted  public  key  of 
its  local  CA.  The  concept  of  a hierarchy  remains  useful  as  a reference  for  organizing  trust 
relationships.  This  model  may  be  used  to  implement  the  other  trust  models  discussed  above, 
including  strict  hierarchies  if  variation  is  permitted  in  the  trusted  public  key(s)  end-user  en- 
tities are  provided  with  initially. 

1 3.43  Remark  ( assigning  end-users  to  CAs ) In  hierarchical  models,  one  option  is  to  specify  that 
only  CAs  at  the  lowest  level  certify  end-users,  while  internal  CAs  serve  (only)  to  cross- 
certify  other  CAs.  In  the  general  digraph  model,  where  all  CAs  are  considered  equal,  it  is 
more  natural  to  allow  every  CA  to  certify  end-users. 

(v)  Constraints  in  trust  models 

Trust  obtained  through  certificate  chains  requires  successful  verification  of  each  certificate 
forming  a link  in  the  chain.  Once  a CA  (CAx)  cross-certifies  the  public  key  of  another 
CA  (CAy),  in  the  absence  of  additional  constraints,  this  trust  extended  by  CAx  is  transi- 
tively granted  to  all  authorities  which  may  be  reached  by  certificate  chains  originating  from 
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CAy.  To  limit  the  scope  of  trust  extended  by  a single  cross-certificate,  a CA  may  impose 
constraints  on  cross-certificates  it  signs.  Such  constraints  would  be  enforced  during  verifi- 
cation of  certificate  chains,  and  might  be  recorded  explicitly  through  additional  certificate 
fields  indicating  specific  policies,  or  through  attribute  certificates  (§13.4.2).  Examples  of 
simple  constraints  on  cross-certificates  include: 

1.  limiting  chain  length.  A constraint  may  be  imposed  on  the  length  of  the  certificate 
chain  which  may  follow  the  cross-certificate  in  question.  For  example,  a CA  may 
limit  the  extent  of  trust  granted  to  CAs  which  it  directly  cross-certifies  by  specifying, 
in  all  cross-certificates  it  signs,  that  that  certificate  must  be  the  last  CA-certificate  in 
any  trust  chain. 

2.  limiting  the  set  of  valid  domains.  A set  of  CAs  (or  domain  names)  may  be  specified  as 
valid  with  respect  to  a given  cross-certificate.  All  CAs  in  a certificate  chain  following 
the  cross-certificate  in  question  may  be  required  to  belong  to  this  set. 

Certification  may  also  be  carried  out  relative  to  a certification  policy  specifying  the 
conditions  under  which  certification  took  place,  including  e.g.,  the  type  of  authentication 
carried  out  on  the  certificate  subject  before  certifying  a key,  and  the  method  used  to  guar- 
antee unique  subject  names  in  certificates. 


13.6.3  Certificate  distribution  and  revocation 

A certificate  directory  (cf.  §13.2.4)  is  a database  which  implements  a pull  model  - users 
extract  (pull)  certificates  from  the  database  as  necessary.  A different  model  of  certificate 
distribution,  the  push  model,  involves  certificates  being  sent  out  (pushed)  to  all  users  upon 
certificate  creation  or  periodically;  this  may  be  suitable  for  closed  systems.  Alternatively, 
individual  users  may  provide  their  certificates  to  others  when  specifically  needed,  e.g.,  for 
signature  verification.  In  certificate-based  systems  with  certificate  revocation  lists  (CRLs  - 
see  below),  a method  for  distribution  of  CRLs  as  well  as  certificates  is  required. 

A certificate  directory  is  usually  viewed  as  an  unsecured  third  party.  While  access  con- 
trol to  the  directory  in  the  form  of  write  and  delete  protection  is  necessary  to  allow  mainte- 
nance and  update  without  denial  of  service,  certificates  themselves  are  individually  secured 
by  the  signatures  thereon,  and  need  not  be  transferred  over  secured  channels.  An  exception 
is  on-line  certificates , which  are  created  by  a certification  authority  in  real-time  on  request 
and  have  no  on-going  lifetime,  or  are  distributed  by  a trusted  party  which  guarantees  they 
have  not  been  revoked. 

Certificate  or  CRL  caching  may  be  used,  whereby  frequently  referenced  items  are  sav- 
ed in  short-term  local  storage  to  avoid  the  cost  of  repeated  retrievals.  Cached  CRLs  must 
be  refreshed  sufficiently  often  to  ensure  recent  revocations  are  known. 

Certificate  revocation  and  CRLs 

Upon  compromise  of  a secret  key,  damage  may  be  minimized  by  preventing  subsequent 
use  of  or  trust  in  the  associated  keying  material.  (Note  the  implications  differ  between  sig- 
nature and  encryption  keys.)  Here  compromise  includes  any  situation  whereby  an  adver- 
sary gains  knowledge  of  secret  data.  If  public  keys  must  be  obtained  in  real-time  from  a 
trusted  on-line  server,  the  keys  in  question  may  be  immediately  removed  or  replaced.  The 
situation  involving  certificates  is  more  difficult,  as  all  distributed  copies  must  be  effectively 
retracted.  While  (suspected  or  actual)  key  compromise  may  be  rare,  there  may  be  other  rea- 
sons a CA  will  prematurely  dissolve  its  binding  of  a public  key  to  a user  name  (i.e.,  revoke 
the  certificate).  Reasons  for  early  termination  of  keying  material  include  the  associated  en- 
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tity  leaving  or  changing  its  role  within  an  organization,  or  ceasing  to  require  authorization 
as  a user.  Techniques  for  addressing  the  problem  of  revoked  keys  include: 

1.  expiration  dates  within  certificates.  Expiration  dates  limit  exposure  following  com- 
promise. The  extreme  case  of  short  validity  periods  resembles  on-line  certificates 
which  expire  essentially  immediately.  Short-term  certificates  without  CRLs  may  be 
compared  to  long-term  certificates  with  frequently  updated  CRLs. 

2.  manual  notification.  All  system  users  are  informed  of  the  revoked  key  by  out-of-band 
means  or  special  channels.  This  may  be  feasible  in  small  or  closed  systems. 

3.  public  file  of  revoked  keys.  A public  file  is  maintained  identifying  revoked  keys,  to 
be  checked  by  all  users  before  key  use.  (The  authenticity  of  data  extracted  from  the 
file  may  be  provided  by  similar  techniques  as  for  public  keys  - see  §13.4.) 

4.  certificate  revocation  lists  (CRLs  ).  A CRL  is  one  method  of  managing  a public  file 
of  revoked  keys  (see  below). 

5.  revocation  certificates.  An  alternative  to  CRLs,  these  may  be  viewed  as  public-key 
certificates  containing  a revocation  flag  and  a time  of  revocation,  serving  to  cancel 
the  corresponding  certificate.  The  original  certificate  may  be  removed  from  the  cer- 
tificate directory  and  replaced  by  the  revocation  certificate. 

A CRL  is  a signed  list  of  entries  corresponding  to  revoked  public  keys,  with  each  en- 
try indicating  the  serial  number  of  the  associated  certificate,  the  time  the  revocation  was 
first  made,  and  possibly  other  information  such  as  the  revocation  reason.  The  list  signature, 
guaranteeing  its  authenticity,  is  generated  by  the  CA  which  originally  issued  the  certificates; 
the  CRL  typically  includes  this  name  also.  Inclusion  of  a date  on  the  overall  CRL  provides 
an  indication  of  its  freshness.  If  CRLs  are  distributed  using  a pull  model  (e.g.,  via  a public 
database),  they  should  be  issued  at  regular  intervals  (or  intervals  as  advertised  within  the 
CRL  itself)  even  if  there  are  no  changes,  to  prevent  new  CRLs  being  maliciously  replaced 
by  old  CRLs. 

Revoked  cross-certificates  may  be  specified  on  separate  authority  revocation  lists 
( ARLs),  analogous  to  CRLs  (which  are  then  restricted  to  revoked  end-user  certificates). 

1 3.44  Note  ( CRL  segmenting)  For  reasons  of  operational  efficiency  when  large  CRLs  may  arise, 
an  option  is  to  distribute  CRLs  in  pieces.  One  technique  is  to  use  delta-CRLs:  upon  each 
CRL  update,  only  new  entries  which  have  been  revoked  since  the  last  issued  CRL  are  in- 
cluded. This  requires  end-users  maintain  (and  update)  secured,  local  images  of  the  current 
CRL.  A second  technique  is  to  partition  a CRL  into  segments  based  on  revocation  reason. 
A third  is  to  segment  a CRL  by  pre-assigning  each  certificate  (upon  creation)  to  a specified 
sub-list,  with  a limit  nmax  on  the  number  of  certificates  pre-assigned  to  any  segment  and 
new  segments  created  as  required.  In  all  cases,  for  each  certificate,  available  information 
must  indicate  which  CRL  segment  must  be  consulted. 


13.7  Key  life  cycle  issues 

Key  management  is  simplest  when  all  cryptographic  keys  are  fixed  for  all  time.  Cryptope- 
riods necessitate  the  update  of  keys.  This  imposes  additional  requirements,  e.g.,  on  certifi- 
cation authorities  which  maintain  and  update  user  keys.  The  set  of  stages  through  which  a 
key  progresses  during  its  existence,  referred  to  as  the  life  cycle  of  keys,  is  discussed  in  this 
section. 
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13.7.1  Lifetime  protection  requirements 

Controls  are  necessary  to  protect  keys  both  during  usage  (cf.  §13.5.2)  and  storage.  Regard- 
ing long-term  storage  of  keys,  the  duration  of  protection  required  depends  on  the  crypto- 
graphic function  (e.g.,  encryption,  signature,  data  origin  authentication/integrity)  and  the 
time-sensitivity  of  the  data  in  question. 

Security  impact  of  dependencies  in  key  updates 

Keying  material  should  be  updated  prior  to  cryptoperiod  expiry  (see  Definition  13.10).  Up- 
date involves  use  of  existing  keying  material  to  establish  new  keying  material,  through  ap- 
propriate key  establishment  protocols  (Chapter  12)  and  key  layering  (§13.3.1). 

To  limit  exposure  in  case  of  compromise  of  either  long  term  secret  keys  or  past  ses- 
sion keys,  dependencies  among  keying  material  should  be  avoided.  For  example,  securing 
a new  session  key  by  encrypting  it  under  the  old  session  key  is  not  recommended  (since 
compromise  of  the  old  key  compromises  the  new).  See  §12.2.3  regarding  perfect  forward 
secrecy  and  known-key  attacks. 

Lifetime  storage  requirements  for  various  types  of  keys 

Stored  secret  keys  must  be  secured  so  as  to  provide  both  confidentiality  and  authenticity. 
Stored  public  keys  must  be  secured  such  that  their  authenticity  is  verifiable.  Confidentiality 
and  authenticity  guarantees,  respectively  countering  the  threats  of  disclosure  and  modifica- 
tion, may  be  provided  by  cryptographic  techniques,  procedural  (trust-based)  techniques,  or 
physical  protection  (tamper-resistant  hardware). 

Signature  verification  public  keys  may  require  archival  to  allow  signature  verification 
at  future  points  in  time,  including  possibly  after  the  private  key  ceases  to  be  used.  Some 
applications  may  require  that  signature  private  keys  neither  be  backed  up  nor  archived:  such 
keys  revealed  to  any  party  other  than  the  owner  potentially  invalidates  the  property  of  non- 
repudiation. Note  here  that  loss  (without  compromise)  of  a signature  private  key  may  be 
addressed  by  creation  of  a new  key,  and  is  non-critical  as  such  a private  key  is  not  needed  for 
access  to  past  transactions;  similarly,  public  encryption  keys  need  not  be  archived.  On  the 
other  hand,  decryption  private  keys  may  require  archival,  since  past  information  encrypted 
thereunder  might  otherwise  be  lost. 

Keys  used  for  entity  authentication  need  not  be  backed  up  or  archived.  All  secret  keys 
used  for  encryption  or  data  origin  authentication  should  remain  secret  for  as  long  as  the 
data  secured  thereunder  requires  continued  protection  (the  protection  lifetime ),  and  backup 
or  archival  is  required  to  prevent  loss  of  this  data  or  verifiability  should  the  key  be  lost. 


13.7.2  Key  management  life  cycle 

Except  in  simple  systems  where  secret  keys  remain  fixed  for  all  time,  cryptoperiods  associ- 
ated with  keys  require  that  keys  be  updated  periodically.  Key  update  necessitates  additional 
procedures  and  protocols,  often  including  communications  with  third  parties  in  public-key 
systems.  The  sequence  of  states  which  keying  material  progresses  through  over  its  lifetime 
is  called  the  key  management  life  cycle.  Life  cycle  stages,  as  illustrated  in  Figure  13.10, 
may  include: 

1 . user  registration  - an  entity  becomes  an  authorized  member  of  a security  domain. 
This  involves  acquisition,  or  creation  and  exchange,  of  initial  keying  material  such  as 
shared  passwords  or  PINs  by  a secure,  one-time  technique  (e.g.,  personal  exchange, 
registered  mail,  trusted  courier). 
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Figure  13.10:  Key  management  life  cycle. 


2.  user  initialization  - an  entity  initializes  its  cryptographic  application  (e.g.,  installs 
and  initializes  software  or  hardware),  involving  use  or  installation  (see  below)  of  ini- 
tial keying  material  obtained  during  user  registration. 

3.  key  generation  - generation  of  cryptographic  keys  should  include  measures  to  ensure 
appropriate  properties  for  the  intended  application  or  algorithm  and  randomness  in 
the  sense  of  being  predictable  (to  adversaries)  with  negligible  probability  (see  Chap- 
ter 5).  An  entity  may  generate  its  own  keys,  or  acquire  keys  from  a trusted  system 
component. 

4.  key  installation  - keying  material  is  installed  for  operational  use  within  an  entity’s 
software  or  hardware,  by  a variety  of  techniques  including  one  or  more  of  the  follow- 
ing: manual  entry  of  a password  or  PIN,  transfer  of  a disk,  read-only-memory  device, 
chipcard  or  other  hardware  token  or  device  (e.g.,  key-loader).  The  initial  keying  ma- 
terial may  serve  to  establish  a secure  on-line  session  through  which  working  keys  are 
established.  During  subsequent  updates,  new  keying  material  is  installed  to  replace 
that  in  use,  ideally  through  a secure  on-line  update  technique. 

5.  key  registration  - in  association  with  key  installation,  keying  material  may  be  offi- 
cially recorded  (by  a registration  authority)  as  associated  with  a unique  name  which 
distinguishes  an  entity.  For  public  keys,  public-key  certificates  may  be  created  by  a 
certification  authority  (which  serves  as  guarantor  of  this  association),  and  made  avail- 
able to  others  through  a public  directory  or  other  means  (see  §13.4). 
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6.  normal  use  - the  objective  of  the  life  cycle  is  to  facilitate  operational  availability  of 
keying  material  for  standard  cryptographic  purposes  (cf.  §13.5  regarding  control  of 
keys  during  usage).  Under  normal  circumstances,  this  state  continues  until  cryptope- 
riod expiry;  it  may  also  be  subdivided  - e.g.,  for  encryption  public -key  pairs,  a point 
may  exist  at  which  the  public  key  is  no  longer  deemed  valid  for  encryption,  but  the 
private  key  remains  in  (normal)  use  for  decryption. 

7.  key  backup  - backup  of  keying  material  in  independent,  secure  storage  media  pro- 
vides a data  source  for  key  recovery  (point  11  below).  Backup  refers  to  short-term 
storage  during  operational  use. 

8.  key  update  - prior  to  cryptoperiod  expiry,  operational  keying  material  is  replaced  by 
new  material.  This  may  involve  some  combination  of  key  generation,  key  deriva- 
tion (§13.5.2),  execution  of  two-party  key  establishment  protocols  (Chapter  12),  or 
communications  with  a trusted  third  party.  For  public  keys,  update  and  registration 
of  new  keys  typically  involves  secure  communications  protocols  with  certification 
authorities. 

9.  archival  - keying  material  no  longer  in  normal  use  may  be  archived  to  provide  a 
source  for  key  retrieval  under  special  circumstances  (e.g.,  settling  disputes  involving 
repudiation).  Archival  refers  to  off-line  long-term  storage  of  post-operational  keys. 

10.  key  de-registration  and  destruction  - once  there  are  no  further  requirements  for  the 
value  of  a key  or  maintaining  its  association  with  an  entity,  the  key  is  de-registered 
(removed  from  all  official  records  of  existing  keys),  and  all  copies  of  the  key  are  de- 
stroyed. In  the  case  of  secret  keys,  all  traces  are  securely  erased. 

1 1 . key  recovery  - if  keying  material  is  lost  in  a manner  free  of  compromise  (e.g.,  due  to 
equipment  failure  or  forgotten  passwords),  it  may  be  possible  to  restore  the  material 
from  a secure  backup  copy. 

12.  key  revocation  - it  may  be  necessary  to  remove  keys  from  operational  use  prior  to 
their  originally  scheduled  expiry,  for  reasons  including  key  compromise.  For  public 
keys  distributed  by  certificates,  this  involves  revoking  certificates  (see  §13.6.3). 

Of  the  above  stages,  all  are  regularly  scheduled,  except  key  recovery  and  key  revoca- 
tion which  arise  under  special  situations. 

13.45  Remark  (public-key  vs.  symmetric-key  life  cycle)  The  life  cycle  depicted  in  Figure  13.10 
applies  mainly  to  public-key  pairs,  and  involves  keying  material  of  only  a single  party.  The 
life  cycle  of  symmetric  keys  (including  key-encrypting  and  session  keys)  is  generally  less 
complex;  for  example,  session  keys  are  typically  not  registered,  backed  up,  revoked,  or 
archived. 

Key  states  within  life  cycle 

The  typical  events  involving  keying  material  over  the  lifetime  of  the  key  define  stages  of 
the  life  cycle.  These  may  be  grouped  to  define  a smaller  set  of  states  for  cryptographic 
keys,  related  to  their  availability  for  use.  One  classification  of  key  states  is  as  follows  (cf. 
Figure  13.10): 

1.  pre-operational.  The  key  is  not  yet  available  for  normal  cryptographic  operations. 

2.  operational.  The  key  is  available,  and  in  normal  use. 

3.  post-operational.  The  key  is  no  longer  in  normal  use,  but  off-line  access  to  it  is  pos- 
sible for  special  purposes. 

4.  obsolete.  The  key  is  no  longer  available.  All  records  of  the  key  value  are  deleted. 
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System  initialization  and  key  installation 

Key  management  systems  require  an  initial  keying  relationship  to  provide  an  initial  secure 
channel  and  optionally  support  the  establishment  of  subsequent  working  keys  (long-term 
and  short-term)  by  automated  techniques.  The  initialization  process  typically  involves  non- 
cryptographic one-time  procedures  such  as  transfer  of  keying  material  in  person,  by  trusted 
courier,  or  over  other  trusted  channels. 

The  security  of  a properly  architected  system  is  reduced  to  the  security  of  keying  ma- 
terial, and  ultimately  to  the  security  of  initial  key  installation.  For  this  reason,  initial  key 
installation  may  involve  dual  or  split  control,  requiring  co-operation  of  two  or  more  inde- 
pendent trustworthy  parties  (cf.  Note  §13.8). 


13.8  Advanced  trusted  third  party  services 

This  section  provides  further  details  on  trusted  third  party  services  of  a more  advanced  na- 
ture, introduced  briefly  in  § 13.2.4. 


13.8.1  Trusted  timestamping  service 

A trusted  timestamping  service  provides  a user  with  a dated  receipt  (upon  presentation  of 
a document),  which  thereafter  can  be  verified  by  others  to  confirm  the  presentation  or  ex- 
istence of  the  document  at  the  (earlier)  date  of  receipt.  Specific  applications  include  estab- 
lishing the  time  of  existence  of  documents  such  as  signed  contracts  or  lab  notes  related  to 
patent  claims,  or  to  support  non-repudiation  of  digital  signatures  (§13.8.2). 

The  basic  idea  is  as  follows.  A trusted  third  party  T (the  timestamp  agent)  appends  a 
timestamp  t\  to  a submitted  digital  document  or  data  file  D,  signs  the  composite  document 
(thereby  vouching  for  the  time  of  its  existence),  and  returns  the  signed  document  including 
<i  to  the  submitter.  Subsequent  verification  of  T’s  signature  then  establishes,  based  on  trust 
in  T,  the  existence  of  the  document  at  the  time  t±. 

If  the  data  submitted  for  timestamping  is  the  hash  of  a document,  then  the  document 
content  itself  need  not  be  disclosed  at  the  time  of  timestamping.  This  also  provides  privacy 
protection  from  eavesdroppers  in  the  case  of  submissions  over  an  unsecured  channel,  and 
reduces  bandwidth  and  storage  costs  for  large  documents. 

13.46  Remark  ( non-cryptographic  timestamp  sendee)  A similar  service  may  be  provided  by 
non-cryptographic  techniques  as  follows.  T stores  D along  with  a timestamp  t\,  and  is 
trusted  to  maintain  the  integrity  of  this  record  by  procedural  techniques.  Later  some  party 
A submits  the  document  again  (now  D'),  and  T compares  D'  to  D on  file.  If  these  match, 
T declares  that  D'  existed  at  the  time  t\  of  the  retrieved  timestamp. 

The  timestamp  agent  T is  trusted  not  to  disclose  its  signing  key,  and  also  to  compe- 
tently create  proper  signatures.  An  additional  desirable  feature  is  prevention  of  collusion:  T 
should  be  unable  to  successfully  collude  (with  any  party)  to  undetectably  back-date  a doc- 
ument. This  may  be  ensured  using  Mechanism  13.47,  which  combines  digital  signatures 
with  tree  authentication  based  on  hashing. 
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13.47  Mechanism  Trusted  timestamping  service  based  on  tree  authentication 

SUMMARY:  party  A interacts  with  a trusted  timestamping  agent  T. 

RESULT:  A obtains  a timestamp  on  a digital  document  D. 

1.  A submits  the  hash  value  h(D)  to  T.  (h  is  a collision-resistant  hash  function.) 

2.  T notes  the  date  and  time  1 1 of  receipt,  digitally  signs  the  concatenation  of  h(D ) and 
ti,  and  returns  t\  and  the  signature  to  A.  (The  signature  is  called  the  certified  time- 
stamp.)  A may  verify  the  signature  to  confirm  T’s  competence. 

3.  At  the  end  of  each  fixed  period  (e.g.,  one  day),  or  more  frequently  if  there  is  a large 
number  n of  certified  timestamps,  T : 

(i)  computes  from  these  an  authentication  tree  T*  with  root  label  R (see  § 13.4. 1); 

(ii)  returns  to  A the  authentication  path  values  to  its  certified  timestamp;  and 

(iii)  makes  the  root  value  R widely  available  through  a means  allowing  both  verifi- 
able authenticity  and  establishment  of  the  time  of  creation  tc  of  T*  (e.g.,  pub- 
lishing in  a trusted  dated  medium  such  as  a newspaper). 

4.  To  allow  any  other  party  B to  verify  (with  T’s  verification  public  key)  that  D was 
submitted  at  time  t\,  A produces  the  certified  timestamp.  If  trust  in  T itself  is  chal- 
lenged (with  respect  to  backdating  ti),  A provides  the  authentication  path  values  from 
its  certified  timestamp  to  the  root  R , which  B may  verify  (see  §13.4.1)  against  an  in- 
dependently obtained  authentic  root  value  R for  the  period  tc. 


To  guarantee  verifiability,  A should  itself  verify  the  authentication  path  upon  receiving 
the  path  values  in  step  3. 


13.8.2  Non-repudiation  and  notarization  of  digital  signatures 

The  timestamping  service  of  §13.8.1  is  a document  certification  or  document  notarization 
service.  A notary  service  is  a more  general  service  capable  not  only  of  ascertaining  the  ex- 
istence of  a document  at  a certain  time,  but  of  vouching  for  the  truth  of  more  general  state- 
ments at  specified  points  in  time.  The  terminology  originates  from  the  dictionary  definition 
of  a notary  public  - a public  official  (usually  a solicitor)  legally  authorized  to  administer 
oaths,  and  attest  and  certify  certain  documents.  No  specific  legal  connotation  is  intended  in 
the  cryptographic  use  of  this  term. 

The  non-repudiation  aspect  of  digital  signatures  is  a primary  advantage  of  public-key 
cryptography.  By  this  property,  a signer  is  prevented  from  signing  a document  and  subse- 
quently being  able  to  successfully  deny  having  done  so.  A non-repudiation  service  requires 
specification  of  precise  details  including  an  adjudication  process  and  adjudicator  (judge), 
what  evidence  would  be  submitted  to  the  adjudicator,  and  what  precise  process  the  adju- 
dicator is  to  follow  to  render  judgement  on  disputes.  The  role  of  an  adjudicator  is  distinct 
from  that  of  a timestamp  agent  or  notary  which  generates  evidence. 

13.48  Remark  ( origin  authentication  vs.  non-repudiable  signature ) A fundamental  distinction 
exists  between  a party  A being  able  to  convince  itself  of  the  validity  of  a digital  signature  s 
at  a point  in  time  to,  and  that  party  being  able  to  convince  others  at  some  time  ti  > to  that  s 
was  valid  at  time  to-  The  former  resembles  data  origin  authentication  as  typically  provided 
by  symmetric-key  origin  authentication  mechanisms,  and  may  be  accepted  by  a verifier  as  a 
form  of  authorization  in  an  environment  of  mutual  trust.  This  differs  from  digital  signatures 
which  are  non-repudiable  in  the  future. 
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Data  origin  authentication  as  provided  by  a digital  signature  is  valid  only  while  the 
secrecy  of  the  signer’s  private  key  is  maintained.  A threat  which  must  be  addressed  is  a 
signer  who  intentionally  discloses  his  private  key,  and  thereafter  claims  that  a previously 
valid  signature  was  forged.  (A  similar  problem  exists  with  credit  cards  and  other  methods 
of  authorization.)  This  threat  may  be  addressed  by: 

1.  preventing  direct  access  to  private  keys.  Preventing  users  from  obtaining  direct  ac- 
cess to  their  own  private  keys  precludes  intentional  disclosure.  As  an  example,  the 
private  keys  may  be  stored  in  tamper-resistant  hardware,  and  by  system  design  never 
available  outside  thereof. 

2.  use  of  a trusted  timestamp  agent.  The  party  obtaining  a signature  on  a critical  docu- 
ment submits  the  signature  to  a timestamp  agent,  which  affixes  a timestamp  to  signa- 
ture and  then  signs  the  concatenation  of  these.  This  establishes  a time  ti  at  which  the 
critical  signature  may  be  ascertained  to  have  existed.  If  the  private  signature  key  cor- 
responding to  this  signature  is  subsequently  compromised,  and  the  compromise  oc- 
curred after  1 1,  then  the  critical  signature  may  still  be  considered  valid  relative  to  t\. 
For  reasons  as  given  in  Remark  13.49,  use  of  a notary  agent  (below)  may  be  prefer- 
able. 

3.  use  of  a trusted  notary  agent.  The  party  obtaining  a signature  on  a critical  document 
(or  hash  thereof)  submits  the  signature  (and  document  or  hash  thereof)  to  an  agent 
for  signature  notarization.  The  agent  verifies  the  signature  and  notarizes  the  result 
by  appending  a statement  (confirming  successful  signature  verification)  to  the  signa- 
ture, as  well  as  a timestamp,  and  signing  the  concatenation  of  the  three.  A reasonable 
period  of  time  (clearance  period)  may  be  allowed  for  declarations  of  lost  private  keys, 
after  which  the  notary’s  record  of  verification  must  be  accepted  (by  all  parties  who 
trust  the  notary  and  verify  its  signature)  as  the  truth  regarding  the  validity  of  the  crit- 
ical signature  at  that  point  in  time,5  even  should  the  private  key  corresponding  to  the 
critical  signature  subsequently  be  compromised. 

For  signed  messages  having  short  lifetimes  (i.e.,  whose  significance  does  not  extend 
far  into  the  future),  non-repudiation  is  less  important,  and  notarization  may  be  unnecessary. 
For  other  messages,  the  requirement  for  a party  to  be  able  to  re-verify  signatures  at  a later 
point  in  time  (including  during  or  after  signature  keys  have  been  updated  or  revoked),  as 
well  as  the  adjudication  process  related  to  non-repudiation  of  signatures,  places  additional 
demands  on  practical  key  management  systems.  These  may  include  the  storage  or  archival 
of  keying  material  (e.g.,  keys,  certificates,  CRLs)  possibly  required  as  evidence  at  a future 
point  in  time. 

A related  support  service  is  that  of  maintaining  a record  ( audit  trail)  of  security-related 
events  including  registration,  certificate  generation,  key  update,  and  revocation.  Audit  trails 
may  provide  sufficient  information  to  allow  resolution  of  disputed  signatures  by  non-auto- 
mated  procedures. 

1 3.49  Remark  ( reconstructing  past  trust)  Both  signature  re-verification  (relative  to  a past  point 
in  time)  and  resolution  of  disputes  may  require  reconstruction  of  chains  of  trust  from  a past 
point  in  time.  This  requires  access  to  keying  material  and  related  information  for  (re)constr- 
ucting  past  chains  of  trust.  Direct  reconstruction  of  such  past  chains  is  unnecessary  if  a 
notarizing  agent  was  used.  The  original  verification  of  the  notary  establishes  existence  of  a 
trust  chain  at  that  point  in  time,  and  subsequently  its  record  thereof  serves  as  proof  of  prior 
validity.  It  may  be  of  interest  (for  audit  purposes)  to  record  the  details  of  the  original  trust 
chain. 

®More  generally,  the  truth  of  the  appended  statement  must  be  accepted,  relative  to  the  timestamp. 
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13.8.3  Key  escrow 

The  objective  of  a key  escrow  encryption  system  is  to  provide  encryption  of  user  traffic 
(e.g.,  voice  or  data)  such  that  the  session  keys  used  for  traffic  encryption  are  available  to 
properly  authorized  third  parties  under  special  circumstances  (“emergency  access”).  This 
grants  third  parties  which  have  monitored  user  traffic  the  capability  to  decrypt  such  traf- 
fic. Wide-scale  public  interest  in  such  systems  arose  when  law  enforcement  agencies  pro- 
moted their  use  to  facilitate  legal  wiretapping  of  telephone  calls  to  combat  criminal  activi- 
ties. However,  other  uses  in  industry  include  recovery  of  encrypted  data  following  loss  of 
keying  material  by  a legitimate  party,  or  destruction  of  keying  material  due  to  equipment 
failure  or  malicious  activities.  One  example  of  a key  escrow  system  is  given  below,  fol- 
lowed by  more  general  issues. 

(i)  The  Clipper  key  escrow  system 

The  Clipper  key  escrow  system  involves  use  of  the  Clipper  chip  (or  a similar  tamper-resist- 
ant  hardware  device  - generically  referred  to  below  as  an  escrow  chip)  in  conjunction  with 
certain  administrative  procedures  and  controls.  The  basic  idea  is  to  deposit  two  key  com- 
ponents, which  jointly  determine  an  encryption  key,  with  two  trusted  third  parties  (escrow 
agents),  which  subsequently  allow  (upon  proper  authorization)  recovery  of  encrypted  user 
data. 

More  specifically,  encryption  of  telecommunications  between  two  users  proceeds  as 
follows.  Each  party  has  a telephone  combined  with  a key  escrow  chip.  The  users  negotiate 
or  otherwise  establish  a session  key  Ks  which  is  input  to  the  escrow  chip  of  the  party  en- 
crypting data  (near  end).  As  a function  of  Ks  and  an  initialization  vector  (IV),  the  chip  cre- 
ates by  an  undisclosed  method  a data  block  called  a law  enforcement  access  field  (LEAF). 
The  LEAF  and  IV  are  transmitted  to  the  far  end  during  call  set-up  of  a communications  ses- 
sion. The  near  end  escrow  chip  then  encrypts  the  user  data  D under  K s producing  Eks  (D), 
by  a U.S.  government  classified  symmetric  algorithm  named  SKIPJACK.  The  far  end  es- 
crow chip  decrypts  the  traffic  only  if  the  transmitted  LEAF  validates  properly.  Such  veri- 
fication requires  that  this  far  end  chip  has  access  to  a common  family  key  K p (see  below) 
with  the  near  end  chip. 

The  LEAF  (see  Figure  13.11)  contains  a copy  of  the  session  key  encrypted  under  a 
device-specific  key  Ky.  Kjj  is  generated  and  data- filled  into  the  chip  at  the  time  of  chip 
manufacture,  but  prior  to  the  chip  being  embedded  in  a security  product.  The  system  meets 
its  objective  by  providing  third  party  access  under  proper  authorization  (as  defined  by  the 
Key  Escrow  System)  to  the  device  key  Ky  of  targeted  individuals. 

To  derive  the  key  Ky  embedded  in  an  escrow  chip  with  identifier  UID,  two  key  com- 
ponents ( Kci , Ken ) are  created  whose  XOR  is  Ky.  Each  component  is  encrypted  under  a 
key  Kck  = Kki®Kk2-  where  Km  is  input  to  the  chip  programming  facility  by  the  first 
and  second  trusted  key  escrow  agent,  respectively.  (Used  to  program  a number  of  chips. 
Km  is  stored  by  the  escrow  agent  for  subsequent  recovery  of  Kck-)  One  encrypted  key 
component  is  then  given  to  each  escrow  agent,  which  stores  it  along  with  UID  to  service 
later  requests.  Stored  data  from  both  agents  must  subsequently  be  obtained  by  an  autho- 
rized official  to  allow  recovery  of  Ky  (by  recovering  first  Kck-  and  then  Kyi-  Kc2-  and 
Ky  = Kci(BliC2)- 

Disclosed  details  of  the  LEAF  are  given  in  Figure  13.11.  Each  escrow  chip  contains  a 
32-bit  device  unique  identifier  (UID),  an  80-bit  device  unique  key  {Ky),  and  an  80-bit  fam- 
ily key  ( Kf ) common  to  a larger  collection  of  devices.  The  LEAF  contains  a copy  of  the 
80-bit  session  key  Ks  encrypted  under  Ky,  the  UID,  and  a 16-bit  encryption  authentica- 
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tor  (EA)  created  by  an  undisclosed  method;  these  are  then  encrypted  under  Kp.  Recovery 
of  Ks  from  the  LEAF  thus  requires  both  Kp  and  Kp.  The  encryption  authenticator  is  a 
checksum  designed  to  allow  detection  of  LEAF  tampering  (e.g.,  by  an  adversary  attempting 
to  prevent  authorized  recovery  of  Ks  and  thereby  D ). 


Key  Escrow  Decrypt  Processor 


Schematic  representation: 


UID  = device  unique  identifier 
Kv  = device  unique  key 
KF  = family  key 
KFC  = family  key  component 
EA  = encryption  authenticator 


Figure  13. 11:  Creation  and  use  of  LEAF  for  key  escrow  data  recovery. 


Escrow  component  User  component 


Recovery  component 


(ii)  Issues  related  to  key  escrow 

Key  escrow  encryption  systems  may  serve  a wide  variety  of  applications,  and  a correspond- 
ing range  of  features  exists.  Distinguishing  properties  of  escrow  systems  include; 

1 . applicability  to  store-and-forward  vs.  real-time  user  communications 

2.  capability  of  real-time  decryption  of  user  traffic 

3.  requirement  of  tamper-resistant  hardware  or  hardware  with  trusted  clock 

4.  capability  of  user  selection  of  escrow  agents 
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5.  user  input  into  value  of  escrowed  key 

6.  varying  trust  requirements  in  escrow  agents 

7.  extent  of  user  data  uncovered  by  one  escrow  access  (e.g.,  limited  to  one  session  or 
fixed  time  period)  and  implications  thereof  (e.g.,  hardware  replacement  necessary). 

Threshold  systems  and  shared  control  systems  may  be  put  in  place  to  access  escrowed  key- 
ing information,  to  limit  the  chances  of  unauthorized  data  recovery.  Key  escrow  systems 
may  be  combined  with  other  life  cycle  functions  including  key  establishment,  and  key  back- 
up and  archival  (cf.  key  access  servers  - Notes  13.5  and  13.6). 


13.9  Notes  and  further  references 

§13.1 

Davies  and  Price  [308]  provide  a comprehensive  treatment  of  key  management,  includ- 
ing overviews  of  ISO  8732  [578]  and  techniques  introduced  in  several  1978  IBM  Systems 
Journal  papers  [364,  804],  Early  work  addressing  protection  in  communications  networks 
and/or  key  management  includes  that  of  Feistel,  Notz,  and  Smith  [388],  Branstad  [189], 
Kent  [665],  Needham  and  Schroeder  [923],  and  the  surveys  of  Popek  and  Kline  [998]  and 
Voydock  and  Kent  [1225],  Security  issues  in  electronic  funds  transfer  (EFT)  systems  for 
point-of-sale  (POS)  terminals  differ  from  those  for  remote  banking  machines  due  to  the 
weaker  physical  security  of  the  former;  special  key  management  techniques  such  as  unique 
(derived)  transaction  keys  reduce  the  implications  of  terminal  key  compromise  - see  Beker 
and  Walker  [85],  Davies  [305],  and  Davies  and  Price  [308,  Ch.10].  See  Meyer  and  Matyas 
[859]  for  general  symmetric-key  techniques,  EFT  applications,  and  PIN  management;  and 
Ford  [414]  for  directory  services  and  standards,  including  the  X.500  Directory  and  X.509 
Authentication  Framework  [626]. 

For  an  overview  of  key  management  concepts  and  life  cycles  aspects,  see  Fumy  and  Lan- 
drock[429].  Fumy  and  Feclerc  [430]  considerplacementofkey  distribution  protocols  with- 
in the  ISO  Open  Systems  Interconnection  (OSI)  architecture.  Regarding  key  management 
principles,  see  Abadi  and  Needham  [1],  and  Anderson  and  Needham  [31],  See  Vedder 
[1220]  for  security  issues  and  architectures  relevant  to  wireless  communications,  includ- 
ing European  digital  cellular  (Global  System  for  Mobile  Communications  - GSM)  and  the 
Digital  European  Cordless  Telephone  (DECT)  system.  Regarding  key  management  for  se- 
curity (authentication  and  encryption)  in  North  American  digital  cellular  systems,  see  IS -54 
RevB  [365],  ISO  11166-1  [586]  (see  also  comments  by  Rueppel  [1082])  specifies  key  man- 
agement techniques  and  life  cycle  principles  for  use  in  banking  systems,  and  is  used  by  the 
Society  for  Worldwide  Interbank  Financial  Telecommunications  (SWIFT). 

§13.2 

Various  parts  of  ISO/IEC  11770  [616,  617,  618]  contain  background  material  on  key  man- 
agement; Figure  13.3  is  derived  from  an  early  draft  of  11770-3.  KDCs  and  KTCs  were 
popularized  by  ANSI  X9.17  [37].  Related  to  tradeoffs,  Needham  and  Schroeder  [923] 
compare  symmetric  and  public-key  techniques;  the  formalization  proposed  by  Rueppel 
[1080]  allows  analysis  of  security  architectures  to  distinguish  complexity-increasing  from 
complexity-reducing  techniques . 

The  Kerberos  authentication  service  (§12.3.2)  includes  a ticket-granting  sendee  whereby  a 
client  may  re-authenticate  itself  multiple  times  using  its  long-term  secret  only  once.  The 
client  A first  acquires  a ticket-granting-ticket  through  a protocol  with  an  Authentication 
Server  (AS).  Thereafter,  using  a variation  of  Protocol  12.24,  A may  obtain  authentication 
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credentials  for  a server  B from  a Ticket-Granting-Server  (TGS),  extracting  a TGS  session 
key  from  the  time-limited  ticket  to  secure  protocol  messages  with  the  TGS.  .4’s  long-term 
secret  (password)  need  neither  be  cached  for  an  extended  period  in  memory  nor  re-entered, 
reducing  the  threat  of  its  compromise;  compromise  of  a TGS  session  key  has  time-restricted 
impact.  See  RFC  1510  [1041]  for  details. 

Ford  and  Wiener  [417]  describe  key  access  servers  (Note  13.6),  effectively  an  access  control 
mechanism  where  the  resource  is  a key  package.  Girault  [459]  mentions  the  three  levels  of 
trust  of  Remark  13.7.  Digital  envelopes  (Note  13.6)  are  discussed  in  PKCS  #7  [1072]. 

Example  13.9  is  fromTuchman  [1198].  Davis  and  Swick  [310]  discuss  symmetric-key  cer- 
tificates as  defined  herein  under  the  name  private-key  certificates  (crediting  Abadi,  Bur- 
rows, and  Lampson)  and  propose  protocols  for  their  use  with  trusted  third  parties,  includ- 
ing a password-based  initial  registration  protocol.  Predating  this,  Davies  and  Price  [308, 
p.259]  note  that  tamper-resistant  hardware  may  replace  the  trusted  third  party  requirement 
of  symmetric-key  certificates  (Note  13.14).  A generalization  of  Protocol  13.12  appears  as 
Mechanism  11  of  ISO/IEC  11770-2  [617],  along  with  related  KTC  protocols  offering  ad- 
ditional authenticity  guarantees  (cf.  Note  13. 13(iii));  these  provide  KTC  variations  of  the 
KDC  protocols  of  §12.3.2). 

Diffie  and  Heilman  [345]  suggested  using  a trusted  public  file,  maintained  by  a trusted  au- 
thority with  which  each  communicant  registers  once  (in  person),  and  from  which  authentic 
public  keys  of  other  users  can  be  obtained.  To  secure  requests  by  one  party  for  the  pub- 
lic key  of  another,  Rivest,  Shamir,  and  Adleman  [1060]  and  Needham  and  Schroeder  [923] 
note  the  trusted  authority  may  respond  via  signed  messages  (essentially  providing  on-line 
certificates). 

Authentication  trees  were  first  discussed  in  Merkle’s  thesis  [851,  p.  1 26- 131]  (see  also  [852, 
853]).  For  security  requirements  on  hash  functions  used  for  tree  authentication,  see  Preneel 
[1003,  p.38].  Public-key  certificates  were  first  proposed  in  the  1978  B.Sc.  thesis  of  Kohn- 
felder  [703];  the  overall  thesis  considers  implementation  and  systems  issues  related  to  using 
RSA  in  practice.  Kohnfelder’s  original  certificate  was  an  ordered  triple  containing  a party’s 
name,  public-key  information,  and  an  authenticator,  with  the  authenticator  a signature  over 
the  value  resulting  from  encrypting  the  name  with  the  public  key/algorithm  in  question. 

X.509  certificates  [626]  were  defined  in  1988  and  modified  in  1993  (yielding  Version  2 cer- 
tificates); an  extensions  field  was  added  by  a technical  corrigendum  [627]  in  1995  (yielding 
Version  3 certificates).  Standard  extensions  for  Version  3 certificates  appear  in  an  amend- 
ment to  X.509  [628];  these  accommodate  information  related  to  key  identifiers,  key  usage, 
certificate  policy,  alternate  names  (vs.  X.500  names)  and  name  attributes,  certification  path 
constraints,  and  enhancements  for  certificate  revocation  including  revocation  reasons  and 
CRL  partitioning.  For  details,  see  Ford  [416].  ANSI  X9.45  [49]  addresses  attribute  certifi- 
cates. The  alternative  of  including  hard-coded  attribute  fields  within  public-key  certificates 
is  proposed  in  PKCS  #6  [1072];  suggested  attributes  are  listed  in  PKCS  #9  [1072]. 

In  1984  Shamir  [1115]  formulated  the  general  idea  of  asymmetric  systems  employing  user’s 
identities  in  place  of  public  keys  ( identity-based  systems),  giving  a concrete  proposal  for 
an  ID-based  signature  system,  and  the  model  for  an  ID-based  encryption  scheme.  Fiat  and 
Shamir  [395]  combined  this  idea  with  that  of  zero-knowledge  interactive  proofs,  yielding 
interactive  identification  and  signature  protocols.  T.  Okamoto  [947]  (based  on  a January 
1984  paper  in  Japanese  by  Okamoto,  Shiraishi,  and  Kawaoka  [954])  independently  pro- 
posed a specific  entity-authentication  scheme  wherein  a trusted  center  T distributes  to  a 
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claimant  A a secret  accreditation  value  computed  as  a function  of  T’s  private  key  and  A’s 
identity  (or  unique  index  value).  The  identity-based  key-agreement  scheme  of  Maurer  and 
Yacobi  [824]  (cf.  §12.6  notes  on  page  538)  is  an  exception  to  Remark  13.27:  extra  public 
data  Da  is  avoided,  as  ideally  desired. 

Gunther  [530]  proposed  a protocol  for  key  agreement  (Protocol  12.62)  wherein  users’  pri- 
vate keys  are  constructed  by  a trusted  authority  T based  on  their  identities,  with  correspond- 
ing Diffie-Hellman  public  keys  reconstructed  from  public  data  provided  by  T ( herein  called 
implicitly-certified  public  keys,  identity-based  subclass).  The  protocol  introduced  by  Gi- 
rault  [459],  based  on  the  key  agreement  protocol  of  Pailles  and  Girault  [962]  (itself  up- 
dated by  Girault  and  Pailles  [461]  and  Girault  [458])  similar  to  a protocol  of  Tanaka  and 
E.  Okamoto  [1184],  involved  what  he  christened  self-certified  public  keys  (herein  called 
implicitly-certified  public  keys,  self-certified  subclass);  see  Mechanism  12.61. 

Related  to  self-certified  public  keys.  Brands  [185]  has  proposed  secret-key  certificates  for 
use  in  so-called  restrictive  blind  signature  schemes.  These  involve  a data  triple  consisting 
of  a private  key,  matching  public  key,  and  an  explicit  (secret-key)  certificate  created  by  a 
trusted  third  party  to  certify  the  public  key.  Users  can  themselves  create  pairs  of  public  keys 
and  matching  (secret-key)  certificates,  but  cannot  create  valid  triples.  As  with  self-certified 
keys,  performance  of  a cryptographic  action  relative  to  the  public  key  (e.g.,  signing)  im- 
plicitly demonstrates  that  the  performing  party  knows  the  private  key  and  hence  that  the 
corresponding  public  key  was  indeed  issued  by  the  trusted  third  party. 

§13.5 

Key  tags  are  due  to  Jones  [642].  Key  separation  as  in  Example  13.33  is  based  on  Ehrsam 
et  al.  [364],  which  outlines  the  use  of  master  keys,  key  variants,  key-  and  data-encrypting 
keys.  Smid  [1153]  introduced  key  notarization  in  the  Key  Notarization  System  (KNS),  a 
key  management  system  designed  by  the  U.S.  National  Bureau  of  Standards  (now  NIST), 
and  based  on  a Key  Notarization  Facility  (KNF)  - a KTC-like  system  component  trusted 
to  handle  master  keys,  and  to  generate  and  notarize  symmetric  keys.  Key  notarization  with 
key  offsetting  (Example  13.34)  is  from  ISO  8732  [578],  which  is  derived  from  ANSI  X9.17 
[37], 

The  generalization  of  key  notarization  to  control  vectors  is  due  to  Matyas,  Meyer,  and 
Brachtl  [806],  and  described  by  Matyas  [803]  (also  [802]),  including  an  efficient  method 
for  allowing  arbitrary  length  control  vectors  that  does  not  penalize  short  vectors.  The  IBM 
proposal  specifies  E as  two-key  triple-DES,  as  per  ANSI  X9.17.  Matyas  notes  that  a sec- 
ond approach  to  implement  control  vectors,  using  a MAC  computed  on  the  control  vector 
and  the  key  (albeit  requiring  additional  processing),  has  the  property  that  both  the  control 
vector  and  the  recovered  key  may  be  authenticated  before  the  key  is  used.  The  notion  of  a 
capability  (Note  13.35)  was  introduced  in  1966  by  Dennis  and  Van  Horn  [332],  who  also 
considered  the  access  matrix  model. 

§13.6 

Key  distribution  between  domains  is  discussed  in  ISO/IEC  11770-1  [616];  see  also  Kohl 
and  Neuman  [1041]  with  respect  to  Kerberos  V5,  and  Davis  and  Swick  [310].  A Kerberos 
domain  is  called  a realm;  authentication  of  clients  in  one  realm  to  servers  in  others  is  sup- 
ported in  V5  by  inter- realm  keys,  with  a concept  of  authentication  paths  analogous  to  public- 
key  certification  paths. 

Kent  [666]  overviews  the  design  and  implementation  of  Privacy  Enhanced  Mail  (PEM)  (see 
RFC  1421-1424  [1036,  1037,  1038,  1039]),  a prototyped  method  for  adding  security  to  In- 
ternet mail.  Encryption  and  signature  capabilities  are  provided.  The  PEM  infrastructure  of 
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RFC  1422  is  based  on  a strict  hierarchy  of  certification  authorities,  and  includes  specifica- 
tion of  Policy  Certification  Authorities  (PC As)  which  define  policies  with  respect  to  which 
certificates  are  issued.  Regarding  certification  paths,  see  Tarah  and  Huitema  [1185]. 

The  1988  version  of  X. 509  [626]  defines  forward  and  reverse  certificates,  certificate  chains, 
and  cross-certificate  pairs,  allowing  support  for  the  general  digraph  trust  model.  The  formal 
analysis  of  Gaarder  and  Snekkenes  [433]  highlights  a practical  difficulty  in  verifying  the 
validity  of  certificates  - the  requirement  of  trusted  timec locks.  For  reports  on  implementa- 
tions based  on  X. 509  certificates,  seeTardo  and  Alagappan  [1186]  and  others  [660, 72, 839]. 
Techniques  for  segmenting  CRLs  (Note  13.44)  are  included  in  the  above-cited  work  on  Ver- 
sion 3 certificate  extensions  [628].  Kohnfelder  [703]  noted  many  of  the  issues  regarding 
certificate  revocation  in  1978  when  use  of  certificates  was  first  proposed,  and  suggested 
techniques  to  address  revocation  including  manual  notification,  maintaining  a public  file 
identifying  revoked  keys,  and  use  of  certificate  expiration  dates  (cf.  Denning  [326,  p.  170]). 

Matyas  and  Meyer  [804]  consider  several  life  cycle  aspects.  ISO  11770-1  [616]  provides 
a general  overview  of  key  management  issues  including  key  life  cycle.  ANSI  X9.57  [52] 
provides  broad  discussion  on  certificate  management,  including  trust  models,  registration, 
certificate  chains,  and  life  cycle  aspects.  ISO  10202-7  [584]  specifies  a key  management 
life  cycle  for  chipcards. 

Davies  and  Price  [308]  discuss  practical  issues  related  to  registries  of  public  keys,  non- 
repudiation, and  revocation,  including  the  use  of  timestamps  and  notarization;  see  also  the 
original  works  of  Kohnfelder  [703]  and  Merkle  [851],  which  include  discussion  of  notaries. 
Haber  and  Stornetta  [535]  propose  two  additional  techniques  for  timestamping  digital  data 
(one  enhanced  by  Bayer,  Haber,  and  Stornetta  [79]),  although  tree  authentication,  due  to 
Merkle  [852],  appears  to  be  preferable  in  practice.  Benaloh  and  de  Mare  [111]  introduce 
one-way  accumulators  to  address  the  same  problem. 

Although  key  backup/archive  functionality  existed  in  earlier  commercial  products,  the 
widespread  study  of  key  escrow  systems  began  circa  1992,  and  combines  issues  related  to 
secret  sharing,  key  establishment,  and  key  life  cycle.  For  practical  aspects  including  com- 
mercial key  recovery  and  backup,  see  Walker  et  al.  [1229]  and  Maher  [780].  Denning  and 
Branstad  [329]  provide  an  excellent  overview  of  the  numerous  proposals  to  date,  including 
a taxonomy.  Among  such  proposals  and  results  are  those  of  Micali  [863]  (see  also  [862]), 
Leighton  and  Micali  [745],  Beth  et  al.  [125],  Desmedt  [338]  (but  see  also  Knudsen  and 
Pedersen  [690]),  Jefferies,  Mitchell,  and  Walker  [635],  Lenstra,  Winkler,  and  Yacobi  [755], 
Kilian  and  Leighton  [671],  Frankel  and  Yung  [420],  and  Micali  and  Sidney  [869].  In  some 
systems,  it  is  required  that  escrow  agents  be  able  to  verify  that  (partial)  keys  received  are 
authentic,  raising  issues  of  verifiable  secret  sharing  (see  Chor  et  al.  [259]). 

The  Clipper  chip  is  a tamper-resistant  hardware  encryption  device  compliant  with  FIPS  185 
[405],  a voluntary  U.S.  government  standard  intended  for  sensitive  but  unclassified  phone 
(voice  and  data)  communications.  FIPS  185  specifies  use  of  the  SKIPJACK  encryption  al- 
gorithm (80-bit  key,  64-bit  blocks)  and  LEAF  creation  method,  the  details  of  both  of  which 
remain  classified.  The  two  initial  key  escrow  agents  named  by  the  U.S.  Government  are  the 
National  Institute  of  Standards  and  Technology  (NIST)  and  the  Department  of  the  Treasury, 
Automated  Systems  Division.  Denning  and  Smid  [331]  describe  the  operation  of  an  initial 
key  escrow  system  employing  a chip  in  accordance  with  FIPS  185.  The  Capstone  chip,  a 
more  advanced  device  than  Clipper,  implements  in  addition  a public  key  agreement  algo- 
rithm, DSA,  SHA,  high-speed  general-purpose  exponentiation,  and  a (pure  noise  source) 
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random  number  generator;  it  is  used  in  the  U.S.  government  Multilevel  Information  Se- 
curity System  Initiative  (MISSI)  for  secure  electronic  mail  and  other  applications.  Blaze 
[152]  demonstrated  that  a protocol  attack  is  possible  on  Clipper,  requiring  at  most  216  trial 
LEAF  values  to  construct  a bogus  LEAF  with  a valid  EA;  Denning  and  Smid  note  this  is 
not  a threat  in  practical  systems.  For  a debate  on  issues  related  to  U.S.  digital  telephony  leg- 
islation passed  in  October  1994  as  the  Communications  Assistance  for  Law  Enforcement 
Act  (CALEA),  requiring  telephone  companies  to  provide  technical  assistance  facilitating 
authorized  wiretapping,  see  Denning  [328], 
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14.1  Introduction 

Many  public-key  encryption  and  digital  signature  schemes,  and  some  hash  functions  (see 
§9.4.3),  require  computations  in  Zm,  the  integers  modulo  m (to  is  a large  positive  integer 
which  may  or  may  not  be  a prime).  For  example,  the  RS  A,  Rabin,  and  ElGamal  schemes  re- 
quire efficient  methods  for  performing  multiplication  and  exponentiation  in  Zm.  Although 
Zm  is  prominent  in  many  aspects  of  modern  applied  cryptography,  other  algebraic  struc- 
tures are  also  important.  These  include,  but  are  not  limited  to,  polynomial  rings,  finite  fields, 
and  finite  cyclic  groups.  For  example,  the  group  formed  by  the  points  on  an  elliptic  curve 
over  a finite  field  has  considerable  appeal  for  various  cryptographic  applications.  The  effi- 
ciency of  a particular  cryptographic  scheme  based  on  any  one  of  these  algebraic  structures 
will  depend  on  a number  of  factors,  such  as  parameter  size,  time-memory  tradeoffs,  process- 
ing power  available,  software  and/or  hardware  optimization,  and  mathematical  algorithms. 

This  chapter  is  concerned  primarily  with  mathematical  algorithms  for  efficiently  carry- 
ing out  computations  in  the  underlying  algebraic  structure.  Since  many  of  the  most  widely 
implemented  techniques  rely  on  Zm,  emphasis  is  placed  on  efficient  algorithms  for  per- 
forming the  basic  arithmetic  operations  in  this  structure  (addition,  subtraction,  multiplica- 
tion, division,  and  exponentiation). 

In  some  cases,  several  algorithms  will  be  presented  which  perform  the  same  operation. 
For  example,  a number  of  techniques  for  doing  modular  multiplication  and  exponentiation 
are  discussed  in  §14.3  and  §14.6,  respectively.  Efficiency  can  be  measured  in  numerous 
ways;  thus,  it  is  difficult  to  definitively  state  which  algorithm  is  the  best.  An  algorithm  may 
be  efficient  in  the  time  it  takes  to  perform  a certain  algebraic  operation,  but  quite  inefficient 
in  the  amount  of  storage  it  requires.  One  algorithm  may  require  more  code  space  than  an- 
other. Depending  on  the  environment  in  which  computations  are  to  be  performed,  one  algo- 
rithm may  be  preferable  over  another.  For  example,  current  chipcard  technology  provides 
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very  limited  storage  for  both  precomputed  values  and  program  code.  For  such  applications, 
an  algorithm  which  is  less  efficient  in  time  but  very  efficient  in  memory  requirements  may 
be  preferred. 

The  algorithms  described  in  this  chapter  are  those  which,  for  the  most  part,  have  re- 
ceived considerable  attention  in  the  literature.  Although  some  attempt  is  made  to  point  out 
their  relative  merits,  no  detailed  comparisons  are  given. 


Chapter  outline 

§14.2  deals  with  the  basic  arithmetic  operations  of  addition,  subtraction,  multiplication, 
squaring,  and  division  for  multiple-precision  integers.  §14.3  describes  the  basic  arithmetic 
operations  of  addition,  subtraction,  and  multiplication  in  Zm.  Techniques  described  for  per- 
forming modular  reduction  for  an  arbitrary  modulus  m are  the  classical  method  (§14.3.1), 
Montgomery’s  method  (§14.3.2),  and  Barrett’s  method  (§14.3.3).  §14.3.4  describes  a re- 
duction procedure  ideally  suited  to  moduli  of  a special  form.  Greatest  common  divisor 
(gcd)  algorithms  are  the  topic  of  §14.4,  including  the  binary  gcd  algorithm  (§14.4.1)  and 
Lehmer’s  gcd  algorithm  (§14.4.2).  Efficient  algorithms  for  performing  extended  gcd  com- 
putations are  given  in  §14.4.3.  Modular  inverses  are  also  considered  in  §14.4.3.  Garner’s 
algorithm  for  implementing  the  Chinese  remainder  theorem  can  be  found  in  § 14.5.  § 14.6  is 
a treatment  of  several  of  the  most  practical  exponentiation  algorithms.  §14.6.1  deals  with 
exponentiation  in  general,  without  consideration  of  any  special  conditions.  §14.6.2  looks 
at  exponentiation  when  the  base  is  variable  and  the  exponent  is  fixed.  §14.6.3  considers  al- 
gorithms which  take  advantage  of  a fixed-base  element  and  variable  exponent.  Techniques 
involving  representing  the  exponent  in  non-binary  form  are  given  in  § 14.7 ; recoding  the  ex- 
ponent may  allow  significant  performance  enhancements.  § 14.8  contains  further  notes  and 
references. 


14.2  Multiple-precision  integer  arithmetic 

This  section  deals  with  the  basic  operations  performed  on  multiple-precision  integers:  ad- 
dition, subtraction,  multiplication,  squaring,  and  division.  The  algorithms  presented  in  this 
section  are  commonly  referred  to  as  the  classical  methods. 


14.2.1  Radix  representation 

Positive  integers  can  be  represented  in  various  ways,  the  most  common  being  base  10.  For 
example,  a = 123  base  10  means  a = 1 • 102  + 2 ■ 101  + 3 ■ 10°.  For  machine  computations, 
base  2 (binary  representation ) is  preferable.  If  a = 1111011  base  2,  then  a = 26  + 25  + 
24  + 23  + 0 -*22  + 21  + 2°. 

14.1  Fact  If  b > 2 is  an  integer,  then  any  positive  integer  a can  be  expressed  uniquely  as  a = 

a. nbn  + an—ibn~^  H — ■ + djf)  + o0,  where  a.j  is  an  integer  with  0 < cq  < b for  0 < i < n, 
and  a.n  ^ 0. 

14.2  Definition  The  representation  of  a positive  integer  a as  a sum  of  multiples  of  powers  of 

b,  as  given  in  Fact  14.1,  is  called  the  base  b or  radix  b representation  of  a. 
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14.3  Note  (notation  and  terminology) 

(i)  The  base  6 representation  of  a positive  integer  a given  in  Fact  14.1  is  usually  written 
as  a = (anan- 1 • • • aiao)b-  The  integers  a,; , 0 < i < n,  are  called  digits.  an  is 
called  the  most  significant  digit  or  high-order  digit,  a o the  least  significant  digit  or 
low-order  digit.  If  b = 10,  the  standard  notation  is  a = a,nan_1  ■ ■ ■ a1af]. 

(ii)  It  is  sometimes  convenient  to  pad  high-order  digits  of  a base  b representation  with 
0’s;  such  a padded  number  will  also  be  referred  to  as  the  base  b representation. 

(iii)  If  (anan- \ ■ ■ ■ aiaf)b  is  the  base  b representation  of  a and  an  0,  then  the  precision 

or  length  of  a is  n + 1 . If  n = 0,  then  a is  called  a single-precision  integer,  otherwise, 
a is  a multiple-precision  integer,  a = 0 is  also  a single-precision  integer. 

The  division  algorithm  for  integers  (see  Definition  2.82)  provides  an  efficient  method 
for  determining  the  base  b representation  of  a non-negative  integer,  for  a given  base  b.  This 
provides  the  basis  for  Algorithm  14.4. 


14.4  Algorithm  Radix  6 representation 

INPUT:  integers  a and  b,  a > 0,  b > 2. 

OUTPUT:  the  base  b representation  a = (an  ■ ■ ■ a1ao)fJ,  where  n > 0 and  arl  0 if  n > 1. 

1.  i<—  0,  x<—  a,  q<—  [|J,  Oj-«— x — qb.  ( |_-J  is  the  floor  function;  see  page  49.) 

2.  While  q > 0,  do  the  following: 

2.1  i<  i ■ 1.  xi—q,  q<—  [_f_|,  a.ii—x  — qb. 

3.  Return(  (ojOj_i  ■ • • oiOq)). 


14.5  Fact  If  i ■ • • OlOdjf,  is  the  base  b representation  of  a and  k is  a positive  integer, 

then  ( uim-i  ■ ■ ■ uiUo)bk  is  the  base  bk  representation  of  a,  where  l = [ (n  + 1 )/k~\  — 1, 
Ui  = YljZl  aik+jV  for  0 < i < l - 1,  and  ut  = aik+jW ■ 

14.6  Example  (radix  b representation)  The  base  2 representation  of  a = 123  is  (11 11011)2- 

The  base  4 representation  of  a is  easily  obtained  from  its  base  2 representation  by  grouping 
digits  in  pairs  from  the  right:  a = ((1)2(11)2(10)2(11)2)4  = (1323)4.  □ 

Representing  negative  numbers 

Negative  integers  can  be  represented  in  several  ways.  Two  commonly  used  methods  are: 

1.  signed-magnitude  representation 

2.  complement  representation. 

These  methods  are  described  below.  The  algorithms  provided  in  this  chapter  all  assume  a 
signed-magnitude  representation  for  integers,  with  the  sign  digit  being  implicit. 

(i)  Signed-magnitude  representation 

The  sign  of  an  integer  (i.e.,  either  positive  or  negative)  and  its  magnitude  (i.e.,  absolute 
value)  are  represented  separately  in  a signed-magnitude  representation.  Typically,  a posi- 
tive integer  is  assigned  a sign  digit  0,  while  a negative  integer  is  assigned  a sign  digit  6 — 1. 
For  n-digit  radix  6 representations,  only  26"  1 sequences  out  of  the  bn  possible  sequences 
are  utilized:  precisely  6"  1 — 1 positive  integers  and  6"  1 — 1 negative  integers  can  be  rep- 
resented, and  0 has  two  representations.  Table  14.1  illustrates  the  binary  signed-magnitude 
representation  of  the  integers  in  the  range  [7,  —7]. 
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Signed-magnitude  representation  has  the  drawback  that  when  certain  operations  (such 
as  addition  and  subtraction)  are  performed,  the  sign  digit  must  be  checked  to  determine  the 
appropriate  manner  to  perform  the  computation.  Conditional  branching  of  this  type  can  be 
costly  when  many  operations  are  performed. 

(ii)  Complement  representation 

Addition  and  subtraction  using  complement  representation  do  not  require  the  checking  of 
the  sign  digit.  Non-negative  integers  in  the  range  [0,  bn  1 — 1]  are  represented  by  base  b 
sequences  of  length  n with  the  high-order  digit  being  0.  Suppose  x is  a positive  integer 
in  this  range  represented  by  the  sequence  ( xnxn-\  ■ ■ ■ xiXo)t,  where  xn  = 0.  Then  — x is 
represented  by  the  sequence  x = (x„x„_  i • ■ > xixo ) + 1 where  x)  = b — 1 — Xj  and  + is  the 
standard  addition  with  carry.  Table  14.1  illustrates  the  binary  complement  representation  of 
the  integers  in  the  range  [—7,  7].  In  the  binary  case,  complement  representation  is  referred 
to  as  two’s  complement  representation. 


Sequence 

Signed- 

magnitude 

Two’s 

complement 

0111 

7 

7 

0110 

6 

6 

0101 

5 

5 

0100 

4 

4 

0011 

3 

3 

0010 

2 

2 

0001 

1 

1 

0000 

0 

0 

Sequence 

Signed- 

magnitude 

Two’s 

complement 

1111 

-7 

-1 

1110 

-6 

-2 

1101 

-5 

-3 

1100 

-4 

-4 

1011 

-3 

-5 

1010 

-2 

-6 

1001 

-1 

-7 

1000 

-0 

-8 

Table  14.1:  Signed-magnitude  and  two’s  complement  representations  of  integers  in  [—7,  7], 


14.2.2  Addition  and  subtraction 

Addition  and  subttaction  are  performed  on  two  integers  having  the  same  number  of  base  b 
digits.  To  add  or  subtract  two  integers  of  different  lengths,  the  smaller  of  the  two  integers 
is  first  padded  with  0’s  on  the  left  (i.e.,  in  the  high-order  positions). 


14.7  Algorithm  Multiple-precision  addition 

INPUT:  positive  integers  x and  y,  each  having  n + 1 base  b digits. 
OUTPUT:  the  sum  x + y = (wn+iwn  ■ ■ ■ w1wo)b  in  radix  b representation. 

1.  a — 0 (c  is  the  carry  digit). 

2.  For  i from  0 to  n do  the  following: 

2.1  Wi<r-(xi  + y.j  + c)  mod  b. 

2.2  If  (x,;  + y.j  + c)  < b then  C4—  0;  otherwise  c<—  1. 

3.  wn+1< -c. 

4.  Return( (wn+iwn  ■ ■ ■ w1  w0)). 


14.8  Note  ( computational  efficiency ) The  base  b should  be  chosen  so  that  (xj  + y.j  + c ) mod  b 
can  be  computed  by  the  hardware  on  the  computing  device.  Some  processors  have  insUuc- 
tion  sets  which  provide  an  add-with-carry  to  facilitate  multiple-precision  addition. 
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14.9  Algorithm  Multiple-precision  subtraction 

INPUT:  positive  integers  x and  y,  each  having  n + 1 base  b digits,  with  x > y. 
OUTPUT:  the  difference  x — y = (wnwn_i  ■ ■ ■ wiWq );,  in  radix  b representation. 

1.  c<— 0. 

2.  For  i from  0 to  n do  the  following: 

2.1  Wi<r~(xi  — yi  + c)  mod  b. 

2.2  If  ( Xi  — yi  + c)  >0  then  c<—  0;  otherwise  c< 1. 

3.  Return! (wr twn_i  ■ • • wiw0)). 


14.10  Note  ( eliminating  the  requirement  x > y)  If  the  relative  magnitudes  of  the  integers  x 
and  y are  unknown,  then  Algorithm  14.9  can  be  modified  as  follows.  On  termination  of 
the  algorithm,  if  c = — 1,  then  repeat  Algorithm  14.9  with  x = (00  ■ ■ • 00)f,  and  y = 

(ywnwn i • • • wiWq)i,.  Conditional  checking  on  the  relative  magnitudes  of  x and  y can  also 

be  avoided  by  using  a complement  representation  (§14.2. l(ii)). 

14.1 1 Example  ( modified  subtraction)  Let  x = 3996879  and  y = 4637923  in  base  10,  so  that 
x<y.  Table  14.2  shows  the  steps  of  the  modified  subtraction  algorithm  (cf.  Note  14.10).  □ 


j Second  execution  of  Algorithm  14.9  j 

i 

6 

5 

4 

3 

2 

1 

0 

Xi 

0 

0 

0 

0 

0 

0 

0 

Vi 

9 

3 

5 

8 

9 

5 

6 

Wi 

0 

6 

4 

1 

0 

4 

4 

c 

-1 

-1 

-1 

-1 

-1 

-1 

-1 

j First  execution  of  Algorithm  14.9  [ 

i 

6 

5 

4 

3 

2 

1 

0 

Xi 

3 

9 

9 

6 

8 

7 

9 

Vi 

4 

6 

3 

7 

9 

2 

3 

Wi 

9 

3 

5 

8 

9 

5 

6 

c 

-1 

0 

0 

-1 

-1 

0 

0 

Table  14.2:  Modified  subtraction  (see  Example  14.11 ). 


14.2.3  Multiplication 

Let  x and  y be  integers  expressed  in  radix  b representation:  x = (xnxn_i  ■ ■ ■ x^xo )&  and 
V = (ytVt-i  • ' • yiyo)b-  The  product  x ■ y will  have  at  most  (n  + t + 2)  base  b digits.  Al- 
gorithm 14.12  is  a reorganization  of  the  standard  pencil-and-paper  method  taught  in  grade 
school.  A single-precision  multiplication  means  the  multiplication  of  two  base  b digits.  If 
Xj  and  y.j  are  two  base  b digits,  then  xj  ■ yi  can  be  written  as  xj  ■ yi  = ( uv\ , where  u and 
v are  base  b digits,  and  u may  be  0. 


14.12  Algorithm  Multiple-precision  multiplication 

INPUT:  positive  integers  x and  y having  n + 1 and  t+1  base  b digits,  respectively. 
OUTPUT:  the  product  x ■ y = (wn+t+i  ■ ■ ■ wiiuo)b  in  radix  b representation. 

1.  For  i from  0 to  (n  + t + 1)  do:  Wi<—  0. 

2.  For  i from  0 to  t do  the  following: 

2.1  ct— 0. 

2.2  For  j from  0 to  n do  the  following: 

Compute  (uv)h  = Wi+j  + Xj  ■ yi  + c,  and  set  Wi+j<—  v,  c<—u. 

2.3  wi+n+1^u. 

3.  Return! (w,j+t+i  ■ ■ ■ w^o))- 
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14.13  Example  ( multiple-precision  multiplication)  Take  x = X3X2X1X0  = 9274  and  y = 
£/2£/iyo  = 847  (base  10  representations),  so  that  n = 3 and  2=2.  Table  14.3  shows 
the  steps  performed  by  Algorithm  14.12  to  compute  x ■ y = 7855078.  □ 


i j 

c 

Wi+j  + XjPi  + c 

u 

V 

Wq 

W5 

W4 

W3 

W2 

Wi 

Wo 

0 0 

~o~ 

0 + 28  + 0 

~T 

8 

0 

0 

0 

0 

0 

0 

8 

1 

2 

0 + 49  + 2 

5 

1 

0 

0 

0 

0 

0 

1 

8 

2 

5 

0 + 14  + 5 

1 

9 

0 

0 

0 

0 

9 

1 

8 

3 

1 

0 + 63  + 1 

6 

4 

0 

0 

6 

4 

9 

1 

8 

1 0 

0 

1 + 16  + 0 

1 

7 

0 

0 

6 

4 

9 

7 

8 

1 

1 

9 + 28  + 1 

3 

8 

0 

0 

6 

4 

8 

7 

8 

2 

3 

4+8  + 3 

1 

5 

0 

0 

6 

5 

8 

7 

8 

3 

1 

6 + 36  + 1 

4 

3 

0 

4 

3 

5 

8 

7 

8 

2 0 

0 

8 + 32  + 0 

4 

0 

0 

4 

3 

5 

0 

7 

8 

1 

4 

5 + 56  + 4 

6 

5 

0 

4 

3 

5 

0 

7 

8 

2 

6 

3 + 16  + 6 

2 

5 

0 

4 

5 

5 

0 

7 

8 

3 

2 

4 + 72  + 2 

7 

8 

7 

8 

5 

5 

0 

7 

8 

Table  14.3:  Multiple-precision  multiplication  ( see  Example  14.13). 


14.14  Remark  (pencil-and-paper  method)  The  pencil-and-paper  method  for  multiplying  x = 
9274  and  y = 847  would  appear  as 


9 2 7 4 

x 8 4 7 

“6  4 9 T 8 

3 7 0 9 6 

7 4 19  2 

— 8 5 5 0 7 8 

The  shaded  entries  in  Table  14.3  correspond  to  row  1,  row  1 + row  2,  and  row  1 + row  2 + 
row  3,  respectively. 

14.15  Note  (computational  efficiency  of  Algorithm  14.12) 

(i)  The  computationally  intensive  portion  of  Algorithm  14.12  is  step  2.2.  Computing 

Wi+j  + Xj  ■ yi  + c is  called  the  inner-product  operation.  Since  Xj,  yi  and  c 

are  all  base  b digits,  the  result  of  an  inner-product  operation  is  at  most  (b  — 1)  + (b  — 
l)2  + (b  — 1)  = b2  — 1 and,  hence,  can  be  represented  by  two  base  b digits. 

(ii)  Algorithm  14.12  requires  (n  + l)(f  + 1)  single-precision  multiplications. 

(iii)  It  is  assumed  in  Algorithm  14.12  that  single-precision  multiplications  are  part  of  the 
instruction  set  on  a processor.  The  quality  of  the  implementation  of  this  instruction 
is  crucial  to  an  efficient  implementation  of  Algorithm  14. 12. 


(row  1) 
(row  2) 
(row  3) 


14.2.4  Squaring 

In  the  preceding  algorithms,  (uv)b  has  both  u and  v as  single-precision  integers.  This  nota- 
tion is  abused  in  this  subsection  by  permitting  u to  be  a double -precision  integer,  such  that 
0 < u < 2(.  b 1).  The  value  v will  always  be  single-precision. 
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14.16  Algorithm  Multiple-precision  squaring 

INPUT:  positive  integer  x = ( xt-iXt-2  ■ ■ ■ xiXo)b- 
OUTPUT:  x ■ x = x2  in  radix  6 representation. 

1.  For  i from  0 to  (2 1 — 1)  do:  Wi<— 0. 

2.  For  i from  0 to  (f  — 1)  do  the  following: 

2.1  (uv)b<r~ U)2i  + Xi  ■ Xi,  W2i^V,  C<~U. 

2.2  For  j from  (i  + 1)  to  (t  — 1)  do  the  following: 

(uv)b<—Wi+j  + 2 Xj  • Xi  + C,  Wi+  j i — V,  Ci — U. 

2.3  wi+t<-u. 

3.  Return( (iu2f-iw2f-2  ■ ■ ■ wiw0)i ,)• 


14.17  Note  (computational  efficiency  of  Algorithm  14.16) 

(i)  ( overflow ) In  step  2.2,  u can  be  larger  than  a single-precision  integer.  Since  Wj;+j 
is  always  set  to  v,  Wj+j  < b — 1.  If  c < 2(6  — 1),  then  Wi+j  + 2xjXj  + c < 
(6  — 1) + 2(6  — l)2  + 2(6  — 1)  = (6  — 1) (26  + 1),  implying  0 < u < 2(6  — 1).  This 
value  of  u may  exceed  single-precision,  and  must  be  accommodated. 

(ii)  (number  of  operations)  The  computationally  intensive  part  of  the  algorithm  is  step  2. 
The  number  of  single-precision  multiplications  is  about  (t2  + t)/ 2,  discounting  the 
multiplication  by  2.  This  is  approximately  one  half  of  the  single-precision  multipli- 
cations required  by  Algorithm  14.12  (cf.  Note  14. 15(ii)). 

1 4.1 8 Note  (squaring  vs.  multiplication  in  general)  Squaring  a positive  integer  x (i.e.,  computing 
x2)  can  at  best  be  no  more  than  twice  as  fast  as  multiplying  distinct  integers  x and  y.  To 
see  this,  consider  the  identity  xy  = (( x + y )2  — {x  — y)2)/ 4.  Hence,  x- y can  be  computed 
with  two  squarings  (i.e.,  (x  + y)2  and  (x  — y)2).  Of  course,  a speed-up  by  a factor  of  2 can 
be  significant  in  many  applications. 

14.19  Example  (squaring)  Table  14.4  shows  the  steps  performed  by  Algorithm  14.16  in  squar- 
ing x = 989.  Here,  6 = 3 and  6 = 10.  □ 


i j 

W2i  + xi 

wi+j  + 2xjXi  + c 

u 

V 

W5 

W4 

W3 

W2 

Wi 

Wo 

0 -- 

0 + 81 

- 

8 

1 

0 

0 

0 

0 

0 

1 

1 

— 

0 + 2 • 8 • 9 + 8 

15 

2 

0 

0 

0 

0 

2 

1 

2 

- 

0 + 2-9-9+15 

17 

7 

0 

0 

0 

7 

2 

1 

17 

7 

0 

0 

17 

7 

2 

1 

1 - 

7 + 64 

— 

7 

1 

0 

0 

17 

1 

2 

1 

2 

- 

17  + 2-9-8  + 7 

16 

8 

0 

0 

8 

1 

2 

1 

16 

8 

0 

16 

8 

1 

2 

1 

2 - 

16  + 81 

- 

9 

7 

0 

7 

8 

1 

2 

1 

9 

7 

9 

7 

8 

1 

2 

1 

Table  14.4:  Multiple-precision  squaring  (see  Example  14.19). 
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14.2.5  Division 

Division  is  the  most  complicated  and  costly  of  the  basic  multiple -precision  operations.  Al- 
gorithm 14.20  computes  the  quotient  q and  remainder  r in  radix  b representation  when  x is 
divided  by  y. 


14.20  Algorithm  Multiple-precision  division 

INPUT:  positive  integers  x = (xn  ■ ■ ■ x1x0)b,  y = (yt  ■ ■ ■ yiy0)b  with  n>t>  1,  yt  ± 0. 
OUTPUT:  the  quotient  q = ( qn-t  ■ ■ ■ QiQo)b  and  remainder  r = (r(  • • • nro)&  such  that 
x = qy  + r , 0 < r < y. 

1.  For  j from  0 to  (n  — t ) do:  qj  <— 0. 

2.  While  (x  > yb n~t)  do  the  following:  qn  t<  qn  t + 1,  x<—  x — ybn~t. 

3.  For  i from  n down  to  (t  — 1)  do  the  following: 

3.1  If  Xi  = yt  then  set  qi_t_1<-b  - 1;  otherwise  set  + xi-1)/yt)\. 

3.2  While  (qt-t-i  (ytb  + t/t_i)  > xtb 2 +xi_i6  + xi_2)  do:  q^t-i^qi-t-i  - 1. 

3.3  xi  x - qi-t-1yb'’~t~1 . 

3.4  If  x < 0 then  set  x^— x + ybt~t~ 1 and  qt-t-i  - 1. 

4.  rt—  x. 

5.  Return(q,r). 


14.21  Example  (multiple-precision  division)  Letx  = 721948327,  y = 84461,  so  that  n = 8 and 
t = 4.  Table  14.5  illustrates  the  steps  in  Algorithm  14.20.  The  last  row  gives  the  quotient 
q = 8547  and  the  remainder  r = 60160.  □ 


i 

54 

53 

52 

5i 

5o 

X8 

x7 

Xq 

X5 

X4 

X3 

X2 

Xl 

Xo 

— 

0 

0 

0 

0 

0 

7 

2 

i 

9 

4 

8 

3 

2 

7 

8 

0 

9 

0 

0 

0 

7 

2 

i 

9 

4 

8 

3 

2 

7 

8 

0 

0 

0 

4 

6 

2 

6 

0 

3 

2 

7 

7 

8 

5 

0 

0 

4 

0 

2 

9 

8 

2 

7 

6 

8 

5 

5 

0 

4 

0 

2 

9 

8 

2 

7 

8 

5 

4 

0 

6 

5 

1 

3 

8 

7 

5 

8 

5 

4 

8 

6 

5 

1 

3 

8 

7 

8 

5 

4 

7 

6 

0 

1 

6 

0 

Table  14.5:  Multiple-precision  division  (see  Example  14.21). 


14.22  Note  (comments  on  Algorithm  14.20) 

(i)  Step  2 of  Algorithm  14.20  is  performed  at  most  once  if  yt  > |_|j  and  b is  even. 

(ii)  The  condition  n > t > 1 can  be  replaced  by  n > t > 0,  provided  one  takes  Xj  — 
yj  = 0 whenever  a subscript  j < 0 in  encountered  in  the  algorithm. 

14.23  Note  (normalization)  The  estimate  for  the  quotient  digit  qt-t- i in  step  3.1  of  Algorithm 
14.20  is  never  less  than  the  true  value  of  the  quotient  digit.  Furthermore,  if  yt  > |_|j,  then 
step  3.2  is  repeated  no  more  than  twice.  If  step  3.1  is  modified  so  that  qi-t-i<~[(xib2  + 
Xi-ib  + Xi-2 )/[ytb  + yt- i)J,  then  the  estimate  is  almost  always  correct  and  step  3.2  is 
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never  repeated  more  than  once.  One  can  always  guarantee  that  yt  >lu  by  replacing  the 
integers  x,  y by  Ax , Ay  for  some  suitable  choice  of  A.  The  quotient  of  Ax  divided  by  Ay  is 
the  same  as  that  of  x by  y,  the  remainder  is  A times  the  remainder  of  x divided  by  y.  If  the 
base  b is  a power  of  2 (as  in  many  applications),  then  the  choice  of  A should  be  a power  of  2; 
multiplication  by  A is  achieved  by  simply  left-shifting  the  binary  representations  of  x and 
y.  Multiplying  by  a suitable  choice  of  A to  ensure  that  yt  > |_f  J is  called  normalization. 
Example  14.24  illustrates  the  procedure. 

14.24  Example  ( normalized  division)  Take  x = 73418  and  y = 267.  Normalize  x and  y by 
multiplying  each  by  A = 3:  x'  = 3x  = 220254  and  y'  = 3y  = 801.  Table  14.6  shows 
the  steps  of  Algorithm  14.20  as  applied  to  x'  and  y' . When  x'  is  divided  by  y' , the  quotient 
is  274,  and  the  remainder  is  780.  When  x is  divided  by  y,  the  quotient  is  also  274  and  the 
remainder  is  780/3  = 260.  □ 


i 

Q3 

<?2 

qi 

qo 

X5 

X4 

*3 

X2 

Xl 

Xo 

— 

0 

0 

0 

0 

2 

2 

0 

2 

5 

4 

5 

0 

2 

0 

0 

6 

0 

0 

5 

4 

4 

2 

7 

0 

3 

9 

8 

4 

3 

2 

7 

4 

7 

8 

0 

Table  14.6:  Multiple-precision  division  after  normalization  ( see  Example  14.24). 


14.25  Note  ( computational  efficiency  of  Algorithm  14.20  with  normalization) 

(i)  (multiplication  count)  Assuming  that  normalization  extends  the  number  of  digits  in 
x by  1,  each  iteration  of  step  3 requires  1 + (f  + 2)  = t + 3 single-precision  multi- 
plications. Hence,  Algorithm  14.20  with  normalization  requires  about  (n  — t)(t  + 3) 
single-precision  multiplications. 

(ii)  (division  count)  Since  step  3.1  of  Algorithm  14.20  is  executed  n — t times,  at  most 
n — t single-precision  divisions  are  required  when  normalization  is  used. 


14.3  Multiple-precision  modular  arithmetic 

§14.2  provided  methods  for  carrying  out  the  basic  operations  (addition,  subtraction,  multi- 
plication, squaring,  and  division)  with  multiple-precision  integers.  This  section  deals  with 
these  operations  in  Zm,  the  integers  modulo  to,  where  m is  a multiple -precision  positive 
integer.  (See  §2.4.3  for  definitions  of  Zm  and  related  operations.) 

Let  to  = (to„to„_  i • • • mi  mo)  & be  a positive  integer  in  radix  b representation.  Let 
x = (xnxn—i  ■ ■ ■ xix0)&  and  y = (ynyn- i ■ ■ ■ yiyo)b  be  non-negative  integers  in  base  b 
representation  such  that  x < m and  y < rri.  Methods  described  in  this  section  are  for 
computing  x + y mod  m (modular  addition),  x — y mod  to  (modular  subtraction),  and 
x ■ y mod  to  (modular  multiplication).  Computing  x~x  mod  m (modular  inversion)  is  ad- 
dressed in  §14.4.3. 

14.26  Definition  If  z is  any  integer,  then  z mod  to  ( the  integer  remainder  in  the  range  [0,  to  — 1] 
after  z is  divided  by  to)  is  called  the  modular  reduction  of  z with  respect  to  modulus  to. 
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Modular  addition  and  subtraction 

As  is  the  case  for  ordinary  multiple-precision  operations,  addition  and  subtraction  are  the 
simplest  to  compute  of  the  modular  operations. 


14.27  Fact 

(i) 

(ii) 
(hi) 


Let  x and  y be  non-negative  integers  with  x.  y < to.  Then: 
x + y < 2m; 

if  .r  > y,  then  0 < x — y < m;  and 
if  x < y,  then  0 <x  + m — y<m. 


If  x,  y G Zm,  then  modular  addition  can  be  performed  by  using  Algorithm  14.7  to  add 
x and  y as  multiple -precision  integers,  with  the  additional  step  of  subtracting  m if  (and  only 
if)  x + y > m.  Modular  subtraction  is  precisely  Algorithm  14.9,  provided  x >y. 


14.3.1  Classical  modular  multiplication 

Modular  multiplication  is  more  involved  than  multiple-precision  multiplication  (§14.2.3), 
requiring  both  multiple-precision  multiplication  and  some  method  for  performing  modular 
reduction  (Definition  14.26).  The  most  straightforward  method  for  performing  modular  re- 
duction is  to  compute  the  remainder  on  division  by  m,  using  a multiple -precision  division 
algorithm  such  as  Algorithm  14.20;  this  is  commonly  referred  to  as  the  classical  algorithm 
for  performing  modular  multiplication. 


14.28  Algorithm  Classical  modular  multiplication 

INPUT:  two  positive  integers  x,  y and  a modulus  m,  all  in  radix  b representation. 
OUTPUT:  x ■ y mod  to. 

1.  Compute  x ■ y (using  Algorithm  14.12). 

2.  Compute  the  remainder  r when  x ■ y is  divided  by  to  (using  Algorithm  14.20). 

3.  Return(r). 


14.3.2  Montgomery  reduction 

Montgomery  reduction  is  a technique  which  allows  efficient  implementation  of  modular 
multiplication  without  explicitly  carrying  out  the  classical  modular  reduction  step. 

Let  to  be  a positive  integer,  and  let  R and  T be  integers  such  that  R > to,  gcd(m,  R)  = 
1,  and  0 < T < mR.  A method  is  described  for  computing  TR  1 mod  to  without  using 
the  classical  method  of  Algorithm  14.28.  TR mod  mis  called  a Montgomery  reduction 
of  T modulo  to  with  respect  to  R.  With  a suitable  choice  of  R,  a Montgomery  reduction 
can  be  efficiently  computed. 

Suppose  x and  y are  integers  such  that  0 < x,  y < to.  Let  x = xR  mod  to  and 
y = yR  mod  m.  The  Montgomery  reduction  of  xy  is  xyR mod  to  = xyR  mod  to. 
This  observation  is  used  in  Algorithm  14.94  to  provide  an  efficient  method  for  modular 
exponentiation. 

To  briefly  illustrate,  consider  computing  x 5 mod  to  for  some  integer  x,  1 < x < to. 
First  compute  x = xR  mod  to.  Then  compute  the  Montgomery  reduction  of  xx,  which  is 
A = x^R-1  mod  to.  The  Montgomery  reduction  of  A2  is  A2R~1  mod  to  = x4R ~3  mod 
to.  Finally,  the  Montgomery  reduction  of  (A2R~1  mod  m)x  is  (A2R^1)xR^1  mod  to  = 
x5R ~4  mod  to  = x5R  mod  to.  Multiplying  this  value  by  R mod  m and  reducing 
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modulo  m gives  x 5 mod  m.  Provided  that  Montgomery  reductions  are  more  efficient  to 
compute  than  classical  modular  reductions,  this  method  may  be  more  efficient  than  com- 
puting x5  mod  to  by  repeated  application  of  Algorithm  14.28. 

If  to  is  represented  as  abase  6 integer  of  length  n,  then  a typical  choice  for  R is  bn.  The 
condition  R > to  is  clearly  satisfied,  but  gcd (R,  to)  = 1 will  hold  only  if  gcd(6,  m)  = 1. 
Thus,  this  choice  of  R is  not  possible  for  all  moduli.  For  those  moduli  of  practical  interest 
(such  as  RSA  moduli),  to  will  be  odd;  then  b can  be  a power  of  2 and  R = bn  will  suffice. 

Fact  14.29  is  basic  to  the  Montgomery  reduction  method.  Note  14.30  then  implies  that 
R = bn  is  sufficient  (but  not  necessary)  for  efficient  implementation. 

14.29  Fact  (Montgomery  reduction)  Given  integers  to  and  R where  gcd(ro,  R)  — 1,  let  to'  = 
— to  1 mod  R.  and  let  T be  any  integer  such  that  0 < T < mR.  If  U = Tm!  mod  R. 
then  (T  + Urn) /R  is  an  integer  and  (T  + Um) /R  = TR (mod  to). 

Justification.  T + Um  = T (mod  to)  and,  hence,  (T  + Um)R~1  = TR (mod  to). 
To  see  that  (T  + Um)R~1  is  an  integer,  observe  that  U = Tto'  + kR  and  to'to  = — 1+lR 
for  some  integers  k and  l.  It  follows  that  ( T + Um)/ R = (T  + (Tto'  + kR)m)/R  = 
( T + T(— 1 + IR)  + kRm)/R  = IT  + km. 

14.30  Note  (implications  of  Fact  14.29) 

(i)  (T  + Um)/R  is  an  estimate  for  TR mod  to.  Since  T < mR  and  U < R,  then 
(T+Um)/ R < ( mR+mR)/R  = 2 to.  Thus  either  (T  + Um) /R  = TR mod  m 
or  (T+Um)/R.  = ( TR mod  to) +m.(i.e.,  the  estimate  is  within  to  of  the  residue). 
Example  14.31  illustrates  that  both  possibilities  can  occur. 

(ii)  If  all  integers  are  represented  in  radix  b and  R = bn,  then  TR  1 mod  to  can  be 
computed  with  two  multiple-precision  multiplications  (i.e.,  U = T ■ m'  and  U ■ to) 
and  simple  right-shifts  of  T + U m in  order  to  divide  by  R. 

14.31  Example  (Montgomery  reduction)  Let  to  = 187,  R = 190.  'T  hen  R 1 mod  to  = 125, 

to  1 mod  R = 63,  and  to'  = 127.  If  T = 563,  then  U = Tm'  mod  R = 61  and 
(T  + Um)/ R = 63  = TR mod  m.  If  T = 1125  then  U = Tm ' mod  R = 185  and 
( T + Um)/R  = 188  = ( TR mod  m)  + to.  □ 

Algorithm  14.32  computes  the  Montgomery  reduction  of  T = (t-2rl  i • • ■ fifo)b  when 
R = bn  and  m = (to„_i  • • • toiTOo){,.  The  algorithm  makes  implicit  use  of  Fact  14.29 
by  computing  quantities  which  have  similar  properties  to  U = Tm'  mod  R and  T + Um, 
although  the  latter  two  expressions  are  not  computed  explicitly. 


14.32  Algorithm  Montgomery  reduction 

INPUT:  integers  to  = (to„_i  ■ ■ • toito-o);,  with  gcd(m,  5)  = 1,  R = bn,  m'  = — to-1  mod 
b , and  T = [t2n-i  ■ ■ ■ Mo)&  < mR. 

OUTPUT:  TR-1  mod  to. 

1.  A<—  T.  (Notation:  A = (a2n-i  ■ ■ ■ aiao)&.) 

2.  For  i from  0 to  (n  — 1)  do  the  following: 

2.1  Uj-S—  a;TO/  mod  b. 

2.2  A + Uj,mbl. 

3.  A^A/bn. 

4.  If  A > m then  At— A — to. 

5.  Return! A). 
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14.33  Note  (comments  on  Montgomery  reduction) 

(i)  Algorithm  14.32  does  not  require  to'  = —to-1  mod  R.  as  Fact  14.29  does,  but  rather 
m'  = — to  ^ mod  6.  This  is  due  to  the  choice  of  R = bn. 

(ii)  At  step  2. 1 of  the  algorithm  with  i = l,  A has  the  property  that  aj  = 0,0<  j <1-1. 
Step  2.2  does  not  modify  these  values,  but  does  replace  ai  by  0.  It  follows  that  in 
step  3,  A is  divisible  by  bn. 

(iii)  Going  into  step  3,  the  value  of  A equals  T plus  some  multiple  of  m (see  step  2.2); 

here  A = (T  + km)/bn  is  an  integer  (see  (ii)  above)  and  A = TR (mod  to).  It 
remains  to  show  that  A is  less  than  2 to,  so  that  at  step  4,  a subtraction  (rather  than  a 
division)  will  suffice.  Going  into  step  3,  A = Ujb'm.  But  Y^i=o  uib>m  < 

bnm  — Rrri  and  T < Rm ; hence,  A < 2Rm.  Going  into  step  4 (after  division  of  A 
by  R),  A < 2 m as  required. 

14.34  Note  (computational  efficiency  of  Montgomery  reduction)  Step  2.1  and  step  2.2  of  Algo- 
rithm 14.32  require  a total  of  n + 1 single-precision  multiplications.  Since  these  steps  are 
executed  n times,  the  total  number  of  single-precision  multiplications  is  n(n  + 1).  Algo- 
rithm 14.32  does  not  require  any  single-precision  divisions. 

14.35  Example  (Montgomery  reduction)  Let  rn  = 72639,6  = 10,  R = 105,  andT  = 7118368. 

Here  n = 5,  m!  = — mT1  mod  10  = 1,  T mod  m = 72385,  and  T R mod  m = 39796. 
Table  14.7  displays  the  iterations  of  step  2 in  Algorithm  14.32.  □ 


i 

Ui  = dim ' mod  10 

Uimb 1 

A 

- 

- 

- 

7118368 

0 

8 

581112 

7699480 

1 

8 

5811120 

13510600 

2 

6 

43583400 

57094000 

3 

4 

290556000 

347650000 

4 

5 

3631950000 

3979600000 

Table  14.7:  Montgomery  reduction  algorithm  (see  Example  14.35). 

Montgomery  multiplication 

Algorithm  14.36  combines  Montgomery  reduction  (Algorithm  14.32)  and  multiple-precis- 
ion  multiplication  (Algorithm  14.12)  to  compute  the  Montgomery  reduction  of  the  product 
of  two  integers. 


14.36  Algorithm  Montgomery  multiplication 

INPUT:  integers  to  = (m„_i  ■■■  toito0)6,  x = (x„_i  • ■ • xix0)6,  y = {yn-i  • • ■ Uiya)b 
with  0 < x,  y < to,  R = bn  with  gcd(m,  6)  = 1,  and  to'  = — to-1  mod  b. 

OUTPUT:  xyR-1  mod  to. 

1.  A<s—0.  (Notation:  A = (anan-i  ■ ■ ■ aiao)&.) 

2.  For  i from  0 to  (n  1)  do  the  following: 

2.1  Ui<— (do  + x.iyf)m'  mod  6. 

2.2  A-tr- (A  + %iV  + Uim)/b. 

3.  If  A > m then  At— A — to. 

4.  Return(A). 
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14.37  Note  ( partial  justification  of  Algorithm  14.36 ) Suppose  at  the  ith  iteration  of  step  2 that 
0 < A < 2m  — 1.  Step  2.2  replaces  A with  [A  + x\y  + Uj,m) /&;  but  {A  + Xj/y  + Ui,m)/b  < 
(2m  — 2 + (b  — l)(m  — 1)  + (b  — l)m)/6  = 2m  — 1 — (1  /b).  Hence,  A < 2m  — 1, 
justifying  step  3. 

1 4.38  Note  ( computational  efficiency  of  Algorithm  14.36 ) Since  A + x.i,y  + UiUi  is  a multiple  of 
b , only  a right-shift  is  required  to  perform  a division  by  b in  step  2.2.  Step  2.1  requires  two 
single-precision  multiplications  and  step  2.2  requires  2 n.  Since  step  2 is  executed  n times, 
the  total  number  of  single-precision  multiplications  is  n(2  + 2 n)  = 2n(n  + 1). 

14.39  Note  ( computing  xy  mod  m with  Montgomery  multiplication)  Suppose  x,  y.  and  m are 
?i-digit  base  b integers  with  0 < x.  y < rn.  Neglecting  the  cost  of  the  precomputation  in 
the  input.  Algorithm  14.36  computes  xyR mod  m with  2n(n+ 1)  single-precision  mul- 
tiplications. Neglecting  the  cost  to  compute  R2  mod  m and  applying  Algorithm  14.36  to 
xyR-1  mod  m and  R2  mod  m,  xy  mod  m is  computed  in  4ji(?i+  1)  single-precision  op- 
erations. Using  classical  modular  multiplication  ( Algorithm  14.28)  would  require  2 n (rc+1) 
single-precision  operations  and  no  precomputation.  Hence,  the  classical  algorithm  is  supe- 
rior for  doing  a single  modular  multiplication;  however,  Montgomery  multiplication  is  very 
effective  for  performing  modular  exponentiation  (Algorithm  14.94). 

1 4.40  Remark  (Montgomery  reduction  vs.  Montgomery  multiplication ) Algorithm  14.36  (Mont- 
gomery multiplication)  takes  as  input  two  ?r-digit  numbers  and  then  proceeds  to  interleave 
the  multiplication  and  reduction  steps.  Because  of  this.  Algorithm  14.36  is  not  able  to  take 
advantage  of  the  special  case  where  the  input  integers  are  equal  (i.e.,  squaring).  On  the  other 
hand.  Algorithm  14.32  (Montgomery  reduction)  assumes  as  input  the  product  of  two  inte- 
gers, each  of  which  has  at  most  n digits.  Since  Algorithm  14.32  is  independent  of  multiple- 
precision  multiplication,  a faster  squaring  algorithm  such  as  Algorithm  14.16  may  be  used 
prior  to  the  reduction  step. 

14.41  Example  (Montgomery  multiplication)  In  Algorithm  14.36,  let  rri  = 72639,7?  = 105, 

x = 5792,  y = 1229.  Here  n = 5,  m'  = — to-1  mod  10  = 1,  and  xyR mod  m = 
39796.  Notice  that  m and  R are  the  same  values  as  in  Example  14.35,  as  is  xy  = 7118368. 
Table  14.8  displays  the  steps  in  Algorithm  14.36.  □ 


i 

Xi 

Xiyo 

Ui 

Xiy 

Uivn 

A 

0 

2 

18 

8 

2458 

581112 

58357 

1 

9 

81 

8 

11061 

581112 

65053 

2 

7 

63 

6 

8603 

435834 

50949 

3 

5 

45 

4 

6145 

290556 

34765 

4 

0 

0 

5 

0 

363195 

39796 

Table  14.8:  Montgomery  multiplication  ( see  Example  14.41 ). 


14.3.3  Barrett  reduction 

Barrett  reduction  (Algorithm  14.42)  computes  r = x mod  m given  x and  to.  The  algorithm 
requires  the  precomputation  of  the  quantity  p = |_ b2k/m\ ; it  is  advantageous  if  many  reduc- 
tions are  performed  with  a single  modulus.  For  example,  each  RSA  encryption  for  one  en- 
tity requires  reduction  modulo  that  entity’s  public  key  modulus.  The  precomputation  takes 
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a fixed  amount  of  work,  which  is  negligible  in  comparison  to  modular  exponentiation  cost. 
Typically,  the  radix  b is  chosen  to  be  close  to  the  word-size  of  the  processor.  Hence,  assume 
b > 3 in  Algorithm  14.42  (see  Note  14.44  (ii)). 


14.42  Algorithm  Barrett  modular  reduction 

INPUT:  positive  integers  x = (x^k-i  ■ ■ ■ x'iX'o)?;,  m = (rrik-i  • • ■ raimoji,  (with  rrik-i  ^ 
0),  and  p = [b2k/m\. 

OUTPUT:  r = x mod  to. 

1.  q1^[x/bk-1\,  q2^q\-p,  q3^  [q2/bk+1\ ■ 

2.  ril—x  mod  bk+1,  r2^q3  • m mod  bk+1,  r<—ri  — r2. 

3.  If  r < 0 then  r<—  r + bk+1 . 

4.  While  r > to  do:  r<—r  — to. 

5.  Return(r). 


14.43  Fact  By  the  division  algorithm  (Definition  2.82),  there  exist  integers  Q and  R such  that 
x = Qm  + R and  ()<_/?<  to.  In  step  1 of  Algorithm  14.42,  the  following  inequality  is 
satisfied:  Q — 2 < q3  < Q. 

14.44  Note  ( partial  justification  of  correctness  of  Barrett  reduction) 

(i)  Algorithm  14.42  is  based  on  the  observation  that  \_x/m\  can  be  written  as  Q = 
l(x/bk~1)(b2k  /m)(l/bk+1)\ . Moreover,  Q can  be  approximated  by  the  quantity 
q3  = \ \_x / bk~x \p / bk+1  \ . Fact  14.43  guarantees  that  q3  is  never  larger  than  the  true 
quotient  Q , and  is  at  most  2 smaller. 

(ii)  In  step  2,  observe  that  — bk+1  < rq  — r2  < bk+1,  r\  — r2  = (Q  qf)m  + R 
(mod  6fe+1),  and  0 < (Q  — q^m  + R < 3rn  < bk+1  since  to  < bk  and  3 < b.  If 
ri  — r2  > 0,  then  ri  — r2  = (Q  — qf)m  + R.  If  rj  — r2  < 0,  then  ri  — r2  + bk+1  = 
(Q  — ([:>  jrn  + R.  In  either  case,  step  4 is  repeated  at  most  twice  since  0 < r < 3 to. 


14.45  Note  (computational  efficiency  of  Barrett  reduction) 

(i)  All  divisions  performed  in  Algorithm  14.42  are  simple  right-shifts  of  the  base  b rep- 
resentation. 

(ii)  q2  is  only  used  to  compute  q:i . Since  the  k + 1 least  significant  digits  of  q>  are  not 
needed  to  determine  q 3,  only  a partial  multiple-precision  multiplication  (i.e.,  qi  ■ p) 
is  necessary.  The  only  influence  of  the  k + 1 least  significant  digits  on  the  higher 
order  digits  is  the  carry  from  position  k + 1 to  position  k ■ 2.  Provided  the  base  b 
is  sufficiently  large  with  respect  to  k , this  carry  can  be  accurately  computed  by  only 
calculating  the  digits  at  positions  k and  k+ 1.  1 Hence,  the  k — 1 least  significant  digits 
of  q2  need  not  be  computed.  Since  p and  q\  have  at  most  k + 1 digits,  determining  q:i 
requires  at  most  (k  + l)2  — ((()  = ( k 2 + 5 k + 2)/2  single-precision  multiplications. 

(iii)  In  step  2 of  Algorithm  14.42,  r->  can  also  be  computed  by  a partial  multiple-precision 
multiplication  which  evaluates  only  the  least  significant  k + 1 digits  of  q%  ■ to.  This 
can  be  done  in  at  most  ( 1)  + k single-precision  multiplications. 

14.46  Example  ( Barrett  reduction)  Let  b = 4,  k = 3,  x = (313221)6,  and  to  = (233)6 

x = 3561  and  to  = 47).  Then  p = |46/toJ  = 87  = (1113)6,  9i  = L(313221)6/42J  = 
(3132)6,  q2  = (3132)6  ■ (1113)6  = (10231302)6,  q3  = (1023)6,  n = (3221)6,  r2  = 
(1023)6  • (233)6  mod  64  = (3011)6,  and  r = r-y  — r2  = (210)6-  Thus  x mod  to  = 36.  □ 

1 If  6 > k,  then  the  carry  computed  by  simply  considering  the  digits  at  position  k — 1 (and  ignoring  the  carry 
from  position  k — 2)  will  be  in  error  by  at  most  1 . 
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14.3.4  Reduction  methods  for  moduli  of  special  form 

When  the  modulus  has  a special  (customized)  form,  reduction  techniques  can  be  employed 
to  allow  more  efficient  computation.  Suppose  that  the  modulus  to  is  a f-digit  base  b positive 
integer  of  the  form  to  = 6*  — c,  where  c is  an  (-digit  base  b positive  integer  (for  some 
l < t).  Algorithm  14.47  computes  x mod  m for  any  positive  integer  x by  using  only  shifts, 
additions,  and  single-precision  multiplications  of  base  b numbers. 


14.47  Algorithm  Reduction  modulo  m = 6f  — c 

INPUT:  a base  b , positive  integer  x,  and  a modulus  to  = bl  c,  where  c is  an  (-digit  base 
b integer  for  some  ( < t . 

OUTPUT:  r = x mod  to. 

1-  Qo<~  \_x/bt\,  ro<r- x — qob*,  r<—r o,  it— 0. 

2.  While  qi  > 0 do  the  following: 

2.1  qi+x-^lqic/tfl,  ri+1^qiC  - qi+1b* . 

2.2  it—  i + 1,  rt— r + rj. 

3.  While  r > to  do:  rt—  r — to. 

4.  Return(r). 


14.48  Example  ( reduction  modulo  b*  — c)  Let  b = 4,  to  = 935  = (32213)4,  and  x = 31085  = 
(13211231)4.  Since  to  = 45  - (1121)4,  take  c = (1121)4.  Here  t = 5 and  ( = 4. 
Table  14.9  displays  the  quotients  and  remainders  produced  by  Algorithm  14.47.  At  the  be- 
ginning of  step  3,  r = (102031)4.  Since  r > to,  step  3 computes  r — to  = (3212)4.  □ 


i 

Qi- ic 

Qi 

Ti 

r 

~0~ 

- 

(132)4 

(11231)4 

(11231)4 

1 

(221232)4 

(2)4 

(21232)4 

(33123)4 

2 

(2302)4 

(0)4 

(2302)4 

(102031)4 

Table  14.9:  Reduction  modulo  m = b*  — c ( see  Example  14.48). 


14.49  Fact  ( termination ) For  some  integer  s > 0,  qs  = 0;  hence.  Algorithm  14.47  terminates. 

Justification,  qi.c  = qi+ibl  +ri+i,  i > 0.  Sincec  < 6*,®,  = (qi+15*/c)-|-(ri+i/c)  > qi+ 1. 
Since  the  qfis  are  non-negative  integers  which  strictly  decrease  as  i increases,  there  is  some 
integer  s > 0 such  that  qs  = 0. 

14.50  Fact  ( correctness ) Algorithm  14.47  terminates  with  the  correct  residue  modulo  to. 

Justification.  Suppose  that  s is  the  smallest  index  i for  which  q,  = 0 (i.e.,  qs  = 0).  Now, 
x = qob 4 + ro  and  qic  = qi+ib*'  + r*+ 1,  ()<(<«  1.  Adding  these  equations  gives 

x + (S»=o  c '=  (S,S=o  bt  + J2i= 0 ri-  Since  bl  = c (mod  to),  it  follows  that 

x = Yli=o  ri  (m°d  rn).  Hence,  repeated  subtraction  of  to  from  r = ]T)i=o  r*  giyes  the 
correct  residue. 
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14.51  Note  {computational  efficiency  of  reduction  modulo  b t — c ) 

(i)  Suppose  that  x has  2 1,  base  b digits.  If  l < i/2,  then  Algorithm  14.47  executes  step  2 
at  most  s = 3 times,  requiring  2 multiplications  by  c.  In  general,  if  l is  approxi- 
mately (.s  — 2 )t/(s  — 1),  then  Algorithm  14.47  executes  step  2 about  s times.  Thus, 
Algorithm  14.47  requires  about  si  single-precision  multiplications. 

(ii)  If  c has  few  non-zero  digits,  then  multiplication  by  c will  be  relatively  inexpensive. 
If  c is  large  but  has  few  non-zero  digits,  the  number  of  iterations  of  Algorithm  14.47 
will  be  greater,  but  each  iteration  requires  a very  simple  multiplication. 

14.52  Note  ( modifications ) Algorithm  14.47  can  be  modified  if  m = bf  + c for  some  positive 
integer  c < b t:  in  step  2.2,  replace  rt—  r + ry  with  r<—r  + (— 1 )Vj. 

14.53  Remark  ( using  moduli  of  a special  form)  Selecting  RSA  moduli  of  the  form  b1  ± c for 
small  values  of  c limits  the  choices  of  primes  p and  q.  Care  must  also  be  exercised  when 
selecting  moduli  of  a special  form,  so  that  factoring  is  not  made  substantially  easier;  this  is 
because  numbers  of  this  form  are  more  susceptible  to  factoring  by  the  special  number  field 
sieve  (see  §3.2.7).  A similar  statement  can  be  made  regarding  the  selection  of  primes  of  a 
special  form  for  cryptographic  schemes  based  on  the  discrete  logarithm  problem. 


14.4  Greatest  common  divisor  algorithms 

Many  situations  in  cryptography  require  the  computation  of  the  greatest  common  divisor 
(gcd)  of  two  positive  integers  (see  Definition  2.86).  Algorithm  2.104  describes  the  classical 
Euclidean  algorithm  for  this  computation.  For  multiple -precision  integers.  Algorithm  2. 1 04 
requires  a multiple -precision  division  at  step  1 . 1 which  is  a relatively  expensive  operation. 
This  section  describes  three  methods  for  computing  the  gcd  which  are  more  efficient  than 
the  classical  approach  using  multiple-precision  numbers.  The  first  is  non-Euclidean  and 
is  referred  to  as  the  binary  gcd  algorithm  (§14.4.1).  Although  it  requires  more  steps  than 
the  classical  algorithm,  the  binary  gcd  algorithm  eliminates  the  computationally  expen- 
sive division  and  replaces  it  with  elementary  shifts  and  additions.  Lehmer’s  gcd  algorithm 
(§14.4.2)  is  a variant  of  the  classical  algorithm  more  suited  to  multiple -precision  computa- 
tions. A binary  version  of  the  extended  Euclidean  algorithm  is  given  in  §14.4.3. 


14.4.1  Binary  gcd  algorithm 

14.54  Algorithm  Binary  gcd  algorithm 

INPUT:  two  positive  integers  x and  y with  x > y. 

OUTPUT:  gcd(x,  y). 

1.  g-t—  1. 

2.  While  both  x and  y are  even  do  the  following:  x<—  x/2,  y*—y/ 2,  gt— 2g. 

3.  While  x 0 do  the  following: 

3.1  While  x is  even  do:  xt— x/2. 

3.2  While  y is  even  do:  y<—  y/2. 

3.3  ft— jx  — ?/|/2. 

3.4  If  x > y then  x<— f;  otherwise,  y<—t. 

4.  Return)  <7  ■ y). 
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1 4.55  Example  ( binary  gcd  algorithm)  The  following  table  displays  the  steps  performed  by  Al- 
gorithm 14.54  for  computing  gcd(1764, 868)  = 28.  □ 


X 

1764 

441 

112 

7 

7 

7 

7 

7 

0 

y 

868 

217 

217 

217 

105 

49 

21 

7 

7 

9 

1 

4 

4 

4 

4 

4 

4 

4 

4 

14.56  Note  (computational  efficiency  of  Algorithm  14.54) 

(i)  If  x and  y are  in  radix  2 representation,  then  the  divisions  by  2 are  simply  right-shifts. 

(ii)  Step  3.3  for  multiple-precision  integers  can  be  computed  using  Algorithm  14.9. 


14.4.2  Lehmer’s  gcd  algorithm 

Algorithm  14.57  is  a variant  of  the  classical  Euclidean  algorithm  (Algorithm  2.104)  and 
is  suited  to  computations  involving  multiple-precision  integers.  It  replaces  many  of  the 
multiple-precision  divisions  by  simpler  single-precision  operations. 

Let  x and  y be  positive  integers  in  radix  b representation,  with  x > y.  Without  loss 
of  generality,  assume  that  x and  y have  the  same  number  of  base  b digits  throughout  Algo- 
rithm 14.57;  this  may  necessitate  padding  the  high-order  digits  of  y with  0’s. 


14.57  Algorithm  Lehmer’s  gcd  algorithm 

INPUT:  two  positive  integers  x and  y in  radix  b representation,  with  x > y. 
OUTPUT:  gcd(x,  y). 

1.  While  y > b do  the  following: 

1.1  Set  x,  y to  be  the  high-order  digit  of  x,  y,  respectively  (y  could  be  0). 

1.2  A<-1,  B<r- 0,  C<- 0,  £R-1. 

1.3  While  (y  + C)  f 0 and  (y  + D)  0 do  the  following: 

q<-  L(*  + A)/{y  + C) ] , q'<~  l(x  + B)/(y  + D) J . 

If  q ¥=  q'  then  go  to  step  1 .4. 

ti — A — qC , A< — (7,  Ci — f,  ti — B — qD , Bi — D , Dt — t. 
t<r-x  — qy,  x<—y,  y<—t. 

1.4  If  B = 0,  then  Ty- x mod  y,  x<—  y,  y*—T; 
otherwise,  T<—  Ax  + By.  u^Cx  + Dy,  xi—T,  y<r-u. 

2.  Compute  v = gcd(x,  y)  using  Algorithm  2.104. 

3.  Return(u). 


14.58  Note  ( implementation  notes  for  Algorithm  14.57 ) 

(i)  T is  a multiple-precision  variable.  A , B,  C,  D,  and  t are  signed  single-precision 
variables;  hence,  one  bit  of  each  of  these  variables  must  be  reserved  for  the  sign. 

(ii)  The  first  operation  of  step  1 .3  may  result  in  overflow  since  0 < x -■  A.  y -l  D < b. 
This  possibility  needs  to  be  accommodated.  One  solution  is  to  reserve  two  bits  more 
than  the  number  of  bits  in  a digit  for  each  of  x and  y to  accommodate  both  the  sign 
and  the  possible  overflow. 

(iii)  The  multiple-precision  additions  of  step  1 .4  are  actually  subtractions,  since  AB  < 0 
and  CD  < 0. 
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14.59  Note  (computational  efficiency  of  Algorithm  14.57) 

(i)  Step  1.3  attempts  to  simulate  multiple-precision  divisions  by  much  simpler  single- 
precision operations.  In  each  iteration  of  step  1.3,  all  computations  are  single  preci- 
sion. The  number  of  iterations  of  step  1.3  depends  on  b. 

(ii)  The  modular  reduction  in  step  1 .4  is  a multiple-precision  operation.  The  other  op- 
erations are  multiple-precision,  but  require  only  linear  time  since  the  multipliers  are 
single  precision. 

14.60  Example  (Lehmer’s  gcd algorithm ) Let  b = 103,  x = 768  454  923,  and  y = 542  167  814. 
Since  b = 103,  the  high-order  digits  of  x and  y are  x = 768  and  y = 542,  respectively. 
Table  14.10  displays  the  values  of  the  variables  at  various  stages  of  Algorithm  14.57.  The 
single-precision  computations  (Step  1.3)  when  q = q'  are  shown  in  Table  14.11.  Hence 

gcd(x,  y)  = 1.  □ 


14.4.3  Binary  extended  gcd  algorithm 

Given  integers  x and  y , Algorithm  2.107  computes  integers  a and  b such  that  ax  + by  = v , 
where  v = gcd(x,  y).  It  has  the  drawback  of  requiring  relatively  costly  multiple-precision 
divisions  when  x and  y are  multiple-precision  integers.  Algorithm  14.61  eliminates  this 
requirement  at  the  expense  of  more  iterations. 


14.61  Algorithm  Binary  extended  gcd  algorithm 
INPUT:  two  positive  integers  x and  y. 

OUTPUT:  integers  a,  6,  and  v such  that  ax  + by  = v,  where  v = gcd(x,  y). 

1.  g-y- 1. 

2.  While  x and  y are  both  even,  do  the  following:  x<—  x/2,  y^y/ 2,  g-^-2g. 

3.  ui — x,  v<—  y,  A<—  1,  B-y- 0,  C-y- 0,  1. 

4.  While  u is  even  do  the  following: 

4.1  m/2. 

4.2  If  A = B = 0 (mod  2)  then  A^A/ 2,  B^B/ 2;  otherwise,  A<y- (A  + y)/ 2, 
B^{B-x)J  2. 

5.  While  v is  even  do  the  following: 

5.1  m/2. 

5.2  If  C = D = 0 (mod  2)  then  C<—C/ 2,  D<—  D/2;  otherwise,  C <—(C  + y)/2, 
Di-(D-x)/ 2. 

6.  If  m > v then  u<r- u — v,  A<—A  — C,  B^B  — D; 
otherwise,  v<—  v — u,  C<r- C — A,  D<r- D — B. 

7.  If  m = 0,  then  a<—C,  b<—D,  and  return(o,  b , g ■ m);  otherwise,  go  to  step  4. 


14.62  Example  (binary  extended  gcd  algorithm)  Let  x = 693  and  y = 609.  Table  14.12  dis- 
plays the  steps  in  Algorithm  14.61  for  computing  integers  a,  b , v such  that  693a+6096  = v, 
where  v = gcd(693,  609).  The  algorithm  returns  v = 21,  a = —181,  and  b = 206.  □ 
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X 

y 

q 

m 

precision 

reference 

768  454  923 

542  167  814 

l 

i 

single 

Table  14.11(i) 

89  593  596 

47  099  917 

l 

i 

single 

Table  14.  llfii) 

42  493  679 

4 606  238 

10 

8 

multiple 

4 606  238 

1 037  537 

5 

2 

multiple 

1 037  537 

456  090 

- 

- 

multiple 

456  090 

125  357 

3 

3 

single 

Table  14. 11  (in) 

34  681 

10  657 

3 

3 

single 

Table  14.  llfiv) 

10  657 

2 710 

5 

3 

multiple 

2 710 

2 527 

1 

0 

multiple 

2 527 

183 

Algorithm  2.104 

183 

148 

Algorithm  2.104 

148 

35 

Algorithm  2.104 

35 

8 

Algorithm  2.104 

8 

3 

Algorithm  2.104 

3 

2 

Algorithm  2.104 

2 

1 

Algorithm  2.104 

1 

0 

Algorithm  2.104 

Table  14.10:  Lehmer’s  gcd  algorithm  (see  Example  14.60). 


X 

y 

A 

B 

c 

D 

q 

q' 

(i) 

768 

542 

1 

0 

0 

1 

l 

1 

542 

226 

0 

1 

1 

-1 

2 

2 

226 

90 

1 

-1 

-2 

3 

2 

2 

90 

46 

-2 

3 

5 

-7 

1 

2 

(ii) 

89 

47 

1 

0 

0 

1 

47 

42 

0 

1 

1 

-1 

42 

5 

1 

-1 

-1 

2 

(iii) 

456 

125 

1 

0 

0 

1 

3 

3 

125 

81 

0 

1 

1 

-3 

1 

1 

81 

44 

1 

-3 

-1 

4 

1 

1 

44 

37 

-1 

4 

2 

-7 

1 

1 

37 

7 

2 

-7 

-3 

11 

9 

1 

(iv) 

34 

10 

1 

0 

0 

1 

3 

3 

10 

4 

0 

1 

1 

-3 

2 

11 

Table  14. 11:  Single-precision  computations  (see  Example  14.60  and  Table  14.10). 
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u 

V 

A 

B 

C 

D 

693 

609 

1 

0 

0 

1 

84 

609 

1 

-1 

0 

1 

42 

609 

305 

-347 

0 

1 

21 

609 

457 

-520 

0 

1 

21 

588 

457 

-520 

-457 

521 

21 

294 

457 

-520 

76 

-86 

21 

147 

457 

-520 

38 

-43 

21 

126 

457 

-520 

-419 

477 

21 

63 

457 

-520 

95 

-108 

21 

42 

457 

-520 

-362 

412 

21 

21 

457 

-520 

-181 

206 

0 

21 

638 

-726 

-181 

206 

Table  14.12:  The  binary  extended  gcd  algorithm  with  x = 693,  y = 609  (see  Example  14.62). 


14.63  Note  (computational  efficiency  of  Algorithm  14.61) 

(i)  The  only  multiple-precision  operations  needed  for  Algorithm  14.61  are  addition  and 
subtraction.  Division  by  2 is  simply  a right-shift  of  the  binary  representation. 

(ii)  The  number  of  bits  needed  to  represent  either  u or  v decreases  by  (at  least)  1,  after  at 
most  two  iterations  of  steps  4-7;  thus,  the  algorithm  takes  at  most  2 ( |_lg  x\  + |_lg  y\  + 
2)  such  iterations. 

14.64  Note  ( multiplicative  inverses)  Given  positive  integers  m and  a,  it  is  often  necessary  to 
find  an  integer  z € Zm  such  that  az  = 1 (mod  m),  if  such  an  integer  exists,  z is  called 
the  multiplicative  inverse  of  a modulo  m (see  Definition  2.115).  For  example,  construct- 
ing the  private  key  for  RSA  requires  the  computation  of  an  integer  d such  that  ed  = 1 

(mod  (p  — 1 )(q  — 1))  (see  Algorithm  8.1).  Algorithm  14.61  provides  a computation- 
ally efficient  method  for  determining  2 given  a and  to,  by  setting  x = to  and  y = a.  If 
gcd(x,  y)  = 1,  then,  at  termination,  z = D if  D > 0,  or  z = to  + D if  D < 0;  if 
gcd(x,  y)  f 1,  then  a is  not  invertible  modulo  to.  Notice  that  if  to  is  odd,  it  is  not  nec- 
essary to  compute  the  values  of  A and  C.  It  would  appear  that  step  4 of  Algorithm  14.61 
requires  both  A and  B in  order  to  decide  which  case  in  step  4.2  is  executed.  But  if  to  is  odd 
and  B is  even,  then  A must  be  even;  hence,  the  decision  can  be  made  using  the  parities  of 
B and  to. 

Example  14.65  illustrates  Algorithm  14.61  for  computing  a multiplicative  inverse. 

14.65  Example  ( multiplicative  inverse)  Let  to  = 383  and  a = 271.  Table  14.13  illustrates  the 

steps  of  Algorithm  14.61  for  computing  271  1 mod  383  = 106.  Notice  that  values  for  the 
variables  A and  C need  not  be  computed.  □ 


14.5  Chinese  remainder  theorem  for  integers 

Fact  2.120  introduced  the  Chinese  remainder  theorem  (CRT)  and  Fact  2.121  outlined  an  al- 
gorithm for  solving  the  associated  system  of  linear  congruences.  Although  the  method  de- 
scribed there  is  the  one  found  in  most  textbooks  on  elementary  number  theory,  it  is  not  the 
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iteration: 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

u 

383 

112 

56 

28 

14 

7 

7 

7 

7 

7 

V 

271 

271 

271 

271 

271 

271 

264 

132 

66 

33 

B 

0 

-1 

-192 

-96 

-48 

-24 

-24 

-24 

-24 

-24 

D 

1 

1 

1 

1 

1 

1 

25 

-179 

-281 

-332 

iteration: 

11 

12 

13 

14 

15 

16 

17 

18 

19 

u 

7 

7 

7 

7 

4 

2 

1 

1 

1 

V 

26 

13 

6 

3 

3 

3 

3 

2 

1 

B 

-24 

-24 

-24 

-24 

41 

-171 

-277 

-277 

-277 

D 

-308 

-154 

-130 

-65 

-65 

-65 

-65 

212 

106 

Table  14.13:  Inverse  computation  using  the  binary  extended  gcd  algorithm  (see  Example  14.65). 


method  of  choice  for  large  integers.  Gamer’s  algorithm  (Algorithm  14.71)  has  some  com- 
putational advantages.  §14.5.1  describes  an  alternate  (non-radix)  representation  for  non- 
negative integers,  called  a modular  representation , that  allows  some  computational  advan- 
tages compared  to  standard  radix  representations.  Algorithm  14.71  provides  a technique 
for  converting  numbers  from  modular  to  base  b representation. 


14.5.1  Residue  number  systems 

In  previous  sections,  non-negative  integers  have  been  represented  in  radix  b notation.  An 
alternate  means  is  to  use  a mixed-radix  representation. 

14.66  Fact  Let  B be  a fixed  positive  integer.  Let  mi,  m2, ...  , m,  he  positive  integers  such  that 

gcd(mj , mj ) = 1 for  all  i f j,  and  M = | 3 ra,;  > B.  Then  each  integer  x,  0 < x < B. 

can  be  uniquely  represented  by  the  sequence  of  integers  v(x)  = (iq,  v2, . . . , vt),  where 
Vi  = x mod  mj,  1 < i < t. 

14.67  Definition  Referring  to  Fact  14.66,  u(x)  is  called  the  modular  representation  01  mixed - 
radix  representation  of  x for  the  moduli  mi,  m2, ...  , rnt . The  set  of  modular  representa- 
tions for  all  integers  x in  the  range  0 < x < B is  called  a residue  number  system. 

Ifu(x)  = (v1,v2,...  ,vt)and  v(y)  = (ui,u2l...  , ut),  define  v(x)+v(y)  = (w1,w2, 
. . . , Wt)  where  Wj  = vt  + ut  mod  m,;,  and  v(x)  ■ v(y ) = (zi,  z2, . ■ ■ , Zt ) where  Zj  = 
Vi  • Ui  mod  m i. 

14.68  Fact  IfO  < x,  y < M,  then  v((x  + y)  mod  M)  = v(x)  + v(y ) and  v((x  ■ y)  mod  M)  = 
v(x)  ■ v(y). 

14.69  Example  (modular  representation)  Let  M = 30  = 2 x 3 x 5;  here,  t = 3,  mi  = 2,  mi  = 
3,  and  m3  = 5.  Table  14.14  displays  each  residue  modulo  30  along  with  its  associated 
modular  representation.  As  an  example  of  Fact  14.68,  note  that  21  + 27  = 18  (mod  30) 
and  (101)  + (102)  = (003).  Also  22  ■ 17  s 14  (mod  30)  and  (012)  • (122)  = (024).  □ 

14.70  Note  ( computational  efficiency  of  modular  representation  for  RSA  decryption)  Suppose 
that  n = pq.  where  p and  q are  distinct  primes.  Fact  14.68  implies  that  xd  mod  n can  be 
computed  in  a modular  representation  as  vd(x)\  that  is,  if  v(x)  = {v\,v2)  with  respect  to 
moduli  mi  = p,  m2  = q.  then  vd(x)  = (vd  modp,vd  mod  q).  In  general,  computing 
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0 

v(x ) 

mm 

v(x) 

mm 

v(x) 

IBS 

■y(x) 

IBS 

v(x) 

0 

(000) 

6 

(002) 

18 

24 

1 

(111) 

7 

m 

(113) 

19 

25 

2 

(022) 

8 

14 

(024) 

20 

26 

3 

(103) 

9 

15 

(100) 

21 

(101) 

27 

4 

(014) 

10 

(010) 

16 

(Oil) 

22 

(012) 

28 

(013) 

5 

(120) 

11 

(121) 

17 

(122) 

23 

(123) 

29 

(124) 

Table  14. 14:  Modular  representations  (see  Example  14.69). 


vd  mod  p and  vd  mod  q is  faster  than  computing  xd  mod  n.  For  RSA,  if  p and  q are  part 
of  the  private  key,  modular  representation  can  be  used  to  improve  the  performance  of  both 
decryption  and  signature  generation  (see  Note  14.75). 

Converting  an  integer  x from  a base  b representation  to  a modular  representation  is  eas- 
ily done  by  applying  a modular  reduction  algorithm  to  compute  v,  = x mod  m,.  1 < i < t. 
Modular  representations  of  integers  in  Z m may  facilitate  some  computational  efficiencies, 
provided  conversion  from  a standard  radix  to  modular  representation  and  back  are  relatively 
efficient  operations.  Algorithm  14.71  describes  one  way  of  converting  from  modular  rep- 
resentation back  to  a standard  radix  representation. 


14.5.2  Garner’s  algorithm 

Garner’s  algorithm  is  an  efficient  method  for  determining  x,  0 < x < M,  given  v(x)  = 
(i>i,  V2,  ■ ■ * , Vt),  the  residues  of  x modulo  the  pairwise  co-prime  moduli  mi,  m2,  ■ • ■ , m-t- 


14.71  Algorithm  Garner’s  algorithm  for  CRT 

INPUT:  a positive  integer  M = nli  m>  > 1.  with  gcd (m.j,  mj)  = 1 for  all  i ^ j,  and  a 
modular  representation  v(x)  = (vi,  V2,  ■ ■ ■ , vt)  of  x for  the  m,; . 

OUTPUT:  the  integer  x in  radix  b representation. 

1.  For  i from  2 to  t do  the  following: 

1.1  Ci<-1. 

1.2  For  j from  1 to  (i  1)  do  the  following: 

ut^m.J1  mod  m,;  (use  Algorithm  14.61). 

Ci<— u ■ Ci  mod  m,; . 

2.  Ul—Vl,  x<r-  U. 

3.  For  i from  2 to  t do  the  following:  u<—  (vi  — x)Cj  mod  m.j, , x<s—  x + u ■ n)_i  rrij. 

4.  Return(x). 


14.72  Fact  x returned  by  Algorithm  14.71  satisfies  0 < x < M,  x = Vj  (mod  m,;),  1 <i  < t. 

14.73  Example  ( Gamer’s  algorithm ) Let  mi  = 5,  m2  = 7,  m3  = 11,  m-4  = 13,  M = 

nLi  m-i  = 5005,  and  v{x)  = (2, 1,3,8).  The  constants  C,  computed  are  C2  = 3, 
C3  = 6,  and  C4  = 5.  The  values  of  ( i , u,  x)  computed  in  step  3 of  Algorithm  14.71  are 
(1,  2,  2),  (2, 4,  22),  (3,  7,  267),  and  (4,  5,  2192).  Hence,  the  modular  representation  v(x ) = 
(2, 1, 3, 8)  corresponds  to  the  integer  x = 2192.  □ 
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14.74  Note  (computational  efficiency  of  Algorithm 14.71) 

(i)  If  Garner’s  algorithm  is  used  repeatedly  with  the  same  modulus  M and  the  same  fac- 
tors of  M,  then  step  1 can  be  considered  as  a precomputation,  requiring  the  storage 
of  t 1 numbers. 

(ii)  The  classical  algorithm  for  the  CRT  (Algorithm  2.121)  typically  requires  a modular 
reduction  with  modulus  M,  whereas  Algorithm  14.71  does  not.  Suppose  M is  a kt- 
bit  integer  and  each  m,:  is  a At-bit  integer.  A modular  reduction  by  M takes  0{{kt)2) 
bit  operations,  whereas  a modular  reduction  by  m,:  takes  Oik'1)  bit  operations.  Since 
Algorithm  14.71  only  does  modular  reduction  with  m*,  2 < i < t,  it  takes  0(tk2) 
bit  operations  in  total  for  the  reduction  phase,  and  is  thus  more  efficient. 

14.75  Note  (RSA  decryption  and  signature  generation) 

(i)  ( special  case  of  two  moduli)  Algorithm  14.7 1 is  particularly  efficient  for  RSA  moduli 
n = pq,  where  mi  = p and  m2  = q are  distinct  primes.  Step  1 computes  a single 
value  C2  = p-1  mod  q.  Step  3 is  executed  once:  u = (v2  — vi)C2  mod  q and 
x = vi  + up. 

(ii)  (RSA  exponentiation ) Suppose  p and  q are  Gbit  primes,  and  let  n = pq.  Let  d be  a 2 1- 
bit  RSA  private  key.  RSA  decryption  and  signature  generation  compute  xd  mod  n 
for  some  x € Z„ . Suppose  that  modular  multiplication  and  squaring  require  k 2 bit 
operations  for  /c-bit  inputs,  and  that  exponentiation  with  a fc-bit  exponent  requires 
about  multiplications  and  squarings  (see  Note  14.78).  Then  computing  xd  mod  n 
requires  about  | (2i) 3 = 12f3  bit  operations.  A more  efficient  approach  is  to  compute 
xdP  mod  p and  xdq  mod  q (where  dp  = d mod  (p  — 1)  and  dq  = d mod  (q  — 1)), 
and  then  use  Garner’s  algorithm  to  construct  xd  mod  pq.  Although  this  procedure 
takes  two  exponentiations,  each  is  considerably  more  efficient  because  the  moduli 
are  smaller.  Assuming  that  the  cost  of  Algorithm  14.71  is  negligible  with  respect  to 
the  exponentiations,  computing  xd  mod  n is  about  |(2f)3/2(|f3)  = 4 times  faster. 


14.6  Exponentiation 

One  of  the  most  important  arithmetic  operations  for  public-key  cryptography  is  exponen- 
tiation. The  RSA  scheme  (§8.2)  requires  exponentiation  in  Zm  for  some  positive  integer 
m,  whereas  Diffie-Hellman  key  agreement  (§12.6.1)  and  the  ElGamal  encryption  scheme 
(§8.4)  use  exponentiation  in  Zp  for  some  large  prime  p.  As  pointed  out  in  §8.4.2,  ElGamal 
encryption  can  be  generalized  to  any  finite  cyclic  group.  This  section  discusses  methods  for 
computing  the  exponential  ge , where  the  base  g is  an  element  of  a finite  group  G (§2.5.1) 
and  the  exponent  e is  a non-negative  integer.  A reader  uncomfortable  with  the  setting  of  a 
general  group  may  consider  G to  be  Z*re;  that  is,  read  ge  as  ge  mod  m. 

An  efficient  method  for  multiplying  two  elements  in  the  group  G is  essential  to  per- 
forming efficient  exponentiation.  The  most  naive  way  to  compute  ge  is  to  do  e — 1 multi- 
plications in  the  group  G.  For  cryptographic  applications,  the  order  of  the  group  G typically 
exceeds  2160  elements,  and  may  exceed  21024.  Most  choices  of  e are  large  enough  that  it 
would  be  infeasible  to  compute  ge  using  e — 1 successive  multiplications  by  g. 

There  are  two  ways  to  reduce  the  time  required  to  do  exponentiation.  One  way  is  to 
decrease  the  time  to  multiply  two  elements  in  the  group;  the  other  is  to  reduce  the  number 
of  multiplications  used  to  compute  ge.  Ideally,  one  would  do  both. 

This  section  considers  three  types  of  exponentiation  algorithms. 
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1.  basic  techniques  for  exponentiation.  Arbitrary  choices  of  the  base  g and  exponent  e 
are  allowed. 

2.  fixed-exponent  exponentiation  algorithms.  The  exponent  e is  fixed  and  arbitrary  choi- 
ces of  the  base  g are  allowed.  RSA  encryption  and  decryption  schemes  benefit  from 
such  algorithms. 

3.  fixed-base  exponentiation  algorithms.  The  base  g is  fixed  and  arbitrary  choices  of 
the  exponent  e are  allowed.  ElGamal  encryption  and  signatures  schemes  and  Diffie- 
Hellman  key  agreement  protocols  benefit  from  such  algorithms. 


14.6.1  Techniques  for  general  exponentiation 

This  section  includes  general-purpose  exponentiation  algorithms  referred  to  as  repeated 
square-and-multiply  algorithms. 

(i)  Basic  binary  and  k-ary  exponentiation 

Algorithm  14.76  is  simply  Algorithm  2.143  restated  in  terms  of  an  arbitrary  finite  abelian 
group  G with  identity  element  1. 

14.76  Algorithm  Right-to-left  binary  exponentiation 

INPUT:  an  element  g € G and  integer  e > 1. 

OUTPUT:  ge. 

1.  A<r~  1,  S-tr-g. 

2.  While  e f-  0 do  the  following: 

2.1  If  e is  odd  then  At— A • S. 

2.2  et—  |_e / 2J . 

2.3  If  e ^ 0 then  S<-S  ■ S. 

3.  Return!  A). 


14.77  Example  {right-to-left  binary  exponentiation ) The  following  table  displays  the  values  of 
A,  e,  and  S during  each  iteration  of  Algorithm  14.76  for  computing  <?283.  □ 


A 

1 

9 

93 

53 

t?27 

527 

927 

927 

9283 

e 

283 

141 

70 

35 

17 

8 

4 

2 

1 

0 

s 

9 

92 

54 

28 

to 

532 

9&4 

9128 

9256 

- 

14.78  Note  ( computational  efficiency  of  Algorithm  14.76)  Let  t + 1 be  the  bitlength  of  the  bi- 
nary representation  of  e,  and  let  wt(e)  be  the  number  of  l’s  in  this  representation.  Algo- 
rithm 14.76  performs  t squarings  and  wt(e)  — 1 multiplications.  If  e is  randomly  selected 
in  the  range  0 < e < \G\  = n.  then  about  [lgnj  squarings  and  i(|_lgnj  +1)  multiplica- 
tions can  be  expected.  (The  assignment  1 • x is  not  counted  as  a multiplication,  nor  is  the 
operation  1 • 1 counted  as  a squaring.)  If  squaring  is  approximately  as  costly  as  an  arbi- 
trary multiplication  (cf.  Note  14. 18),  then  the  expected  amount  of  work  is  roughly  | |_lg  n\ 
multiplications. 

Algorithm  14.76  computes  A ■ S whenever  e is  odd.  For  some  choices  of  g,  A ■ g can 
be  computed  more  efficiently  than  A ■ S for  arbitrary  i S'.  Algorithm  14.79  is  a left-to-right 
binary  exponentiation  which  replaces  the  operation  A • S (for  arbitrary  S)  by  the  operation 
A ■ g (for  fixed  g). 
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14.79  Algorithm  Left-to-right  binary  exponentiation 

INPUT:  g e G and  a positive  integer  e = (e*et_i  • • • eieo)2- 
OUTPUT:  ge. 

1.  A<- 1. 

2.  For  i from  t down  to  0 do  the  following: 

2.1  A<-A  ■ A. 

2.2  If  e.j  = 1,  then  A<r- A ■ g. 

3.  Return(A). 


14.80  Example  (left-to-right  binary  exponentiation)  The  following  table  displays  the  values  of 
A during  each  iteration  of  Algorithm  14.79  for  computing  a283.  Note  that  t — 8 and  283  = 
(100011011)2.  □ 


i 

8 

7 

6 

5 

4 

3 

2 

1 

0 

ei 

1 

0 

0 

0 

1 

1 

0 

1 

1 

A 

9 

92 

24 

00 

S35 

970 

9141 

P283 

14.81  Note  ( computational  efficiency  of  Algorithm  14.79)  Let  t.  + 1 be  the  bitlength  of  the  bi- 
nary representation  of  e,  and  let  wt(e)  be  the  number  of  l’s  in  this  representation.  Algo- 
rithm 14.79  performs  t + 1 squarings  and  wt(e)  — 1 multiplications  by  g.  The  number  of 
squarings  and  multiplications  is  the  same  as  in  Algorithm  14.76  but,  in  this  algorithm,  mul- 
tiplication is  always  with  the  fixed  value  g.  If  g has  a special  structure,  this  multiplication 
may  be  substantially  easier  than  multiplying  two  arbitrary  elements.  For  example,  a fre- 
quent operation  in  ElGamal  public-key  schemes  is  the  computation  of  gk  mod  p,  where  g 
is  a generator  of  Z*  and  p is  a large  prime  number.  The  multiple -precision  computation  A ■ g 
can  be  done  in  linear  time  if  g is  chosen  so  that  it  can  be  represented  by  a single-precision 
integer  (e.g.,  g — 2).  If  the  radix  b is  sufficiently  large,  there  is  a high  probability  that  such 
a generator  exists. 

Algorithm  14.82,  sometimes  referred  to  as  the  window  method  for  exponentiation,  is  a 
generalization  of  Algorithm  14.79  which  processes  more  than  one  bit  of  the  exponent  per 
iteration. 


14.82  Algorithm  Left-to-right  fe-ary  exponentiation 

INPUT:  g and  e = (et.et-i  ■ ■ ■ eieo)fc,  where  b = 2k  for  some  k > 1. 
OUTPUT:  ge. 

1.  Precomputation. 

1-1  pot— 1. 

1.2  For  i from  1 to  ( 2k  — 1)  do:  p,;t— p.t  i ■ g.  (Thus,  g.j  = g‘ .) 

2.  A<- 1. 

3.  For  i from  t down  to  0 do  the  following: 

3.1  A^A2\ 

3.2  A<—A  ■ gei . 

4.  Return(A). 
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In  Algorithm  14.83,  Algorithm  14.82  is  modified  slightly  to  reduce  the  amount  of  pre- 
computation.  The  following  notation  is  used:  for  each  i,  0 < i < t,  if  c,  ^ 0,  then  write 
e.j  = 2 hiUi  where  Ui  is  odd;  if  e*  = 0,  then  let  hi  = 0 and  Ui  = 0. 


14.83  Algorithm  Modified  left-to-right  fc-ary  exponentiation 

INPUT:  g and  e = (etet_i  • • ■ eieo)&,  where  b = 2k  for  some  k > 1. 
OUTPUT:  ge. 

1.  Precomputation. 

1.1  g0^l,  gi-^g,  g2^g2  ■ 

1.2  For  i from  1 to  (2fc_1  - 1)  do:  g2i+i^g2i-i  ■ g2- 

2.  At— 1. 

3.  For  i from  t down  to  0 do:  At— (A2*  h'  • gUi)2ht  ■ 

4.  Return(A). 


1 4.84  Remark  ( right-to-left  k-ary  exponentiation)  Algorithm  14.82  is  a generalization  of  Algo- 
rithm 14.79.  In  a similar  manner.  Algorithm  14.76  can  be  generalized  to  the  fc-ary  case. 
However,  the  optimization  given  in  Algorithm  14.83  is  not  possible  for  the  generalized 
right-to-left  fc-ary  exponentiation  method. 

(ii)  Sliding-window  exponentiation 

Algorithm  14.85  also  reduces  the  amount  of  precomputation  compared  to  Algorithm  14.82 
and,  moreover,  reduces  the  average  number  of  multiplications  performed  ( excluding  squar- 
ings). fc  is  called  the  window  size. 


14.85  Algorithm  Sliding-window  exponentiation 

INPUT:  g,  e = (etet_i  • • • eieo)2  with  et  = 1,  and  an  integer  fc  > 1. 

OUTPUT:  ge. 

1.  Precomputation. 

1.1  gi-^g,  g2^g2- 

1.2  For  i from  1 to  (2fc_1  - 1)  do:  52i+i<-P2i-i  • g2. 

2.  Ai — 1,  ii — t. 

3.  While  i > 0 do  the  following: 

3.1  If  e,:  = 0 then  do:  At— A2,  zt—  i — 1. 

3.2  Otherwise  (e*  0),  find  the  longest  bitstring  ejej_i  • ■ ■ ei  such  that  i — 1 + 1 < fc 

and  e/  = 1,  and  do  the  following: 

A^A2i  '+1  ■ g(eiei-1...e,)2’  ^ ~ 1- 

4.  Return(A). 


14.86  Example  (sliding-window  exponentiation)  Take  e = 11749  = (10110111100101)2  and 
fc  = 3.  Table  14.15  illustrates  the  steps  of  Algorithm  14.85.  Notice  that  the  sliding-window 
method  for  this  exponent  requires  three  multiplications,  corresponding  to  i = 7,  4,  and  0. 
Algorithm  14.79  would  have  required  four  multiplications  for  the  same  values  of  fc  and  e.  □ 
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D 

A 

Longest  bitstring 

13 

1 

101 

10 

3 5 

101 

7 

(35)  V = 345 

111 

4 

- 

3 

(3367)2  = 3™ 

- 

(37 34)2  = 31468 

101 

0 

(31468)V=S11749 

- 

Table  14.15:  Sliding-window  exponentiation  withk  = 3 and  exponent  e — (10110111100101)2. 


14.87  Note  ( comparison  of  exponentiation  algorithms)  Let  t + 1 be  the  bitlength  of  e,  and  let 
l + 1 be  the  number  of  k- bit  words  formed  from  e;  that  is , l = \ (t  + 1 )/k]  — 1 = [t/k\ . 
Table  14.16  summarizes  the  number  of  squarings  and  multiplications  required  by  Algo- 
rithms 14.76,  14.79,  14.82,  and  14.83.  Analysis  of  the  number  of  squarings  and  multipli- 
cations for  Algorithm  14.85  is  more  difficult,  although  it  is  the  recommended  method. 

(i)  (squarings  for  Algorithm  14.82)  The  number  of  squarings  for  Algorithm  14.82  is  Ik. 
Observe  that  Ik  = \_t/k\k  = t (t  mod  k).  It  follows  that  t — (k  — 1)  < Ik  < t 
and  that  Algorithm  14.82  can  save  up  to  k — 1 squarings  over  Algorithms  14.76  and 
14.79.  An  optimal  value  for  k in  Algorithm  14.82  will  depend  on  t. 

(ii)  (squarings  for  Algorithm  14.83)  The  number  of  squarings  for  Algorithm  14.83  is  lk+ 
hi  whereO  <hi<t  mod  k.  Since  t — (k—  1)  < Ik  < lk  + hi  < lk  + (t  mod  k)  / 
or  t — (k  — 1)  < lk  + hi  < t,  the  number  of  squarings  for  this  algorithm  has  the  same 
bounds  as  Algorithm  14.82. 


Algorithm 

| Precomputation 

squarings 

\ Multiplications 

15B 

mult 

worst  case 

average  case 

BESS 

0 

0 

t 

t 

t/2 

0 

0 

t 

t 

t/2 

1 

2k  —3 

t — (k  — 1)  < Ik  < t 

l - 1 

l( 2k  - l)/2k 

1 

2k- 1 - 1 

t — (k  — 1)  < Ik  + hi  < t 

l - 1 

l(2k  - 1) /2k 

Table  14.16:  Number  of  squarings  (sq)  and  multiplications  (mult)  for  exponentiation  algorithms. 


(iii)  Simultaneous  multiple  exponentiation 

There  are  a number  of  situations  which  require  computation  of  the  product  of  several  ex- 
ponentials with  distinct  bases  and  distinct  exponents  (for  example,  verification  of  ElGa- 
mal  signatures;  see  Note  14.91).  Rather  than  computing  each  exponential  separately.  Al- 
gorithm 14.88  presents  a method  to  do  them  simultaneously. 

Leteo,  ei, . . . , e/,.  i be  positive  integers  each  of  bitlength  f;  some  of  the  high-order  bits 
of  some  of  the  exponents  might  be  0,  but  there  is  at  least  one  e,  whose  high-order  bit  is  1. 
Form  a kxt  array  EA  ( called  the  exponent  array)  whose  rows  are  the  binary  representations 
of  the  exponents  e,,  0 < i < k — 1.  Let  Ij  be  the  non-negative  integer  whose  binary 
representation  is  the  jth  column,  1 <j<f  of  EA.  where  low-order  bits  are  at  the  top  of 
the  column. 
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14.88  Algorithm  Simultaneous  multiple  exponentiation 

INPUT:  group  elements  go,  <?i, . . . , tjk  i and  non-negative  f-bit  integers  eo,  e\, . . . e/,.  i . 
OUTPUT:  g^gV---9k  i- 

1.  Precomputation.  For  i from  0 to  (2fc  — 1):  Gi<—  rij=o  9j  where  i = (ik-i  ■ ■ ■ *0)2- 

2.  A<-1. 

3.  For  i from  1 to  t do  the  following:  At- A ■ A,  At— A • G . 

4.  Return(A). 


1 4.89  Example  ( simultaneous  multiple  exponentiation ) In  this  example,  g'if1  Pi'  g2>1  is  computed 
using  Algorithm  14.88.  Let  eg  = 30  = (11110)2,  ei  = 10  = (01010)2,  and  ei  = 24  = 
(11000)2.  The  3x5  array  EA  is: 


1 

1 

1 

1 

0 

0 

1 

0 

1 

0 

1 

1 

0 

0 

0 

The  next  table  displays  precomputed  values  from  step  1 of  Algorithm  14.88. 


i 

0 

1 

2 

3 

4 

5 

6 

7 

Gi 

1 

9o 

9i 

gogi 

92 

9092 

9192 

909192 

Finally,  the  value  of  A at  the  end  of  each  iteration  of  step  3 is  shown  in  the  following  table. 
Here,  h = 5, 12  = 7, 13  = 1,  h = 3,  and  I5  = 0. 


i 

1 

2 

3 

4 

5 

A 

9092 

glgigl 

9o9i92 

15  5 12 

9o  9i92 

9o°9i°924 

□ 


14.90  Note  (computational  efficiency  of  Algorithm  14.88) 

(i)  Algorithm  14.88  computes  g^figl1  ■ ■ ■ g^  (where  each  e*  is  represented  by  t bits) 
by  performing  t — 1 squarings  and  at  most  ( 2k  — 2)  + t — 1 multiplications.  The 
multiplication  is  trivial  for  any  column  consisting  of  all  0’s. 

(ii)  Not  all  of  the  G,  . 0 < i < 2fc  — 1,  need  to  be  precomputed,  but  only  for  those  i whose 
binary  representation  is  a column  of  EA. 

14.91  Note  ( ElGamal  signature  verification)  The  signature  verification  equation  for  the  ElGa- 
mal  signature  scheme  (Algorithm  11.64)  is  ah^m^  (a~a)r  = rs  (mod  p)  where  p is  a large 
prime,  a a generator  of  Z*,  aa  is  the  public  key,  and  (r,  s)  is  a signature  for  message  to. 
It  would  appear  that  three  exponentiations  and  one  multiplication  are  required  to  verify 
the  equation.  If  t = (lgpl  and  Algorithm  11.64  is  applied,  the  number  of  squarings  is 
3 (t  — 1)  and  the  number  of  multiplications  is,  on  average,  3f/2.  Hence,  one  would  ex- 
pect to  perform  about  (9 1 — 4) / 2 multiplications  and  squarings  modulo  p.  Algorithm  14.88 
can  reduce  the  number  of  computations  substantially  if  the  verification  equation  is  rewrit- 
ten as  ah(m\a-a)rr~s  = 1 (mod  p).  Taking  go  = a,  gi  = oTa , <72  = r,  and  eo  = 
him)  mod  (p  — 1),  ei  = r mod  (p  — 1),  e 2 = — s mod  (p  — 1)  in  Algorithm  14.88,  the 
expected  number  of  multiplications  and  squarings  is  (t  — 1)  + (6  + (7f/8))  = (15f  + 40)/8. 
(For  random  exponents,  one  would  expect  that,  on  average,  (-  of  the  columns  of  EA  will  be 
non-zero  and  necessitate  a non-trivial  multiplication.)  This  is  only  about  25%  more  costly 
than  a single  exponentiation  computed  by  Algorithm  14.79. 
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(iv)  Additive  notation 

Algorithms  14.76  and  14.79  have  been  described  in  the  setting  of  a multiplicative  group. 
Algorithm  14.92  uses  the  methodology  of  Algorithm  14.79  to  perform  efficient  multiplica- 
tion in  an  additive  group  G.  (For  example,  the  group  formed  by  the  points  on  an  elliptic 
curve  over  a finite  held  uses  additive  notation.)  Multiplication  in  an  additive  group  corre- 
sponds to  exponentiation  in  a multiplicative  group. 


14.92  Algorithm  Left-to-right  binary  multiplication  in  an  additive  group 

INPUT:  g <E  G,  where  G is  an  additive  group,  and  a positive  integer  e = (etet_i  • • • fc’it'd)-;. 
OUTPUT:  e • g. 

1.  At— 0. 

2.  For  t from  t down  to  0 do  the  following: 

2.1  A^-A  + A. 

2.2  If  e.j  = 1 then  A^A  + g. 

3.  Return(A). 


14.93  Note  ( the  additive  group  Z,„) 

(i)  If  G is  the  additive  group  Zm,  then  Algorithm  14.92  provides  a method  for  doing 
modular  multiplication.  For  example,  if  a,  b £ Zm,  then  a ■ b mod  m can  be  com- 
puted using  Algorithm  14.92  by  taking  g = a and  e = b,  provided  b is  written  in 
binary. 

(ii)  if  o,6  e Zm,  then  a < m and  b < m.  The  accumulator  A in  Algorithm  14.92 
never  contains  an  integer  as  large  as  2 to;  hence,  modular  reduction  of  the  value  in 
the  accumulator  can  be  performed  by  a simple  subtraction  when  A > to;  thus  no 
divisions  are  required. 

(iii)  Algorithms  14.82  and  14.83  can  also  be  used  for  modular  multiplication.  In  the  case 
of  the  additive  group  Zm,  the  time  required  to  do  modular  multiplication  can  be  im- 
proved at  the  expense  of  precomputing  a table  of  residues  modulo  to.  For  a left-to- 
right  fc-ary  exponentiation  scheme,  the  table  will  contain  2k  1 residues  modulo  to. 

(v)  Montgomery  exponentiation 

The  introductory  remarks  to  §14.3.2  outline  an  application  of  the  Montgomery  reduction 
method  for  exponentiation.  Algorithm  14.94  below  combines  Algorithm  14.79  and  Al- 
gorithm 14.36  to  give  a Montgomery  exponentiation  algorithm  for  computing  xe  mod  to. 
Note  the  definition  of  to/  requires  that  gcd(m,  R)  *=  1.  For  integers  u and  v where  0 < 
u,v  < to,  define  Mont(w,  v)  to  be  uvR -1  mod  to  as  computed  by  Algorithm  14.36. 
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14.94  Algorithm  Montgomery  exponentiation 

INPUT:  to  = (mi— i ■ ■ ■ too)&,  R = bl,  m'  = —m~l  mod  b,  e = (ej  • • • eo)2  with  e*  = 1, 
and  an  integer  x,  1 < x < m. 

OUTPUT:  xe  mod  to. 

1.  x<—  Mont(x,  f?2  mod  to),  A <—R  mod  to.  (i?  mod  to  and  f?2  mod  to  may  be  pro- 
vided as  inputs.) 

2.  For  i from  t down  to  0 do  the  following: 

2.1  A+-  Mont(A,  A). 

2.2  If  e,  — 1 then  A<—  Montis,  x). 

3.  A<—  Mont(  A,  1). 

4.  Return(A). 


14.95  Example  ( Montgomery  exponentiation)  Let  x , to,  and  R be  integers  suitable  as  inputs  to 
Algorithm  14.94.  Let  e = 11  = (1011)2:  here,  t = 3.  The  following  table  displays  the 
values  of  A mod  to  at  the  end  of  each  iteration  of  step  2,  and  after  step  3.  □ 


i 

3 

2 

1 

0 

Step  3 

A mod  m 

X 

tfR-1 

e5r-a 

£3 

1 

o 

Mont(A,  1)  = x^R-11  = x11 

14.96  Note  ( computational  efficiency  of  Montgomery  exponentiation ) 

(i)  Table  14. 17  displays  the  average  number  of  single-precision  multiplications  required 
for  each  step  of  Algorithm  14.94.  The  expected  number  of  single-precision  multipli- 
cations to  compute  xe  mod  to  by  Algorithm  14.94  is  31(1  + l)(f  + 1). 

(ii)  Each  iteration  of  step  2 in  Algorithm  14.94  applies  Algorithm  14.36  at  a cost  of  2 1(1+ 
1)  single-precision  multiplications  but  no  single-precision  divisions.  A similar  algo- 
rithm for  modular  exponentiation  based  on  classical  modular  multiplication  (Algo- 
rithm 14.28)  would  similarly  use  21(1  + 1)  single-precision  multiplications  per  iter- 
ation but  also  l single-precision  divisions. 

(iii)  Any  of  the  other  exponentiation  algorithms  discussed  in  §14.6.1  can  be  combined 
with  Montgomery  reduction  to  give  other  Montgomery  exponentiation  algorithms. 


Step 

iM 

2 

3 

Number  of  Montgomery  multiplications 

\mm 

2L 

1 

Number  of  single-precision  multiplications 

21(1  + 1) 

3tl(l  + 1) 

1(1  + 1) 

Table  14.1 7:  Average  number  of  single-precision  multiplications  per  step  of  Algorithm  14. 94. 


14.6.2  Fixed-exponent  exponentiation  algorithms 

There  are  numerous  situations  in  which  a number  of  exponentiations  by  a fixed  exponent 
must  be  performed.  Examples  include  RSA  encryption  and  decryption,  and  ElGamal  de- 
cryption. This  subsection  describes  selected  algorithms  which  improve  the  repeated  square- 
and-multiply  algorithms  of  §14.6.1  by  reducing  the  number  of  multiplications. 
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(i)  Addition  chains 

The  purpose  of  an  addition  chain  is  to  minimize  the  number  of  multiplications  required  for 
an  exponentiation. 

14.97  Definition  An  addition  chain  V of  length  s for  a positive  integer  e is  a sequence  uq , wi, 
...  ,us  of  positive  integers,  and  an  associated  sequence  uq, . . . ,ws  of  pairs  uq  = (z1;  z2), 
0 < i\.  i->  < i,  having  the  following  properties: 

(i)  «o  = 1 and  us  = e;  and 

(ii)  for  each  w 1 < i < s,  w*  = wq  + w,j2. 

14.98  Algorithm  Addition  chain  exponentiation 

INPUT:  a group  element  g , an  addition  chain  V = (uq  , wi , . . . ,us)  of  length  s for  a positive 
integer  e,  and  the  associated  sequence  uq, . . . , ws,  where  uq  = (ii,  z2). 

OUTPUT:  ge. 

l-  go^g- 

2.  For  i from  1 to  s do:  gi<—gi±  ■ <?j2. 

3.  Return^). 

14.99  Example  (addition  chain  exponentiation)  An  addition  chain  of  length  5 for  e = 15  is 

wo  = 1,  wj  = 2,  w2  = 3,  W3  = 6,  W4  = 12,  W5  = 15.  The  following  table  displays  the 
values  of  w,  and  gi  during  each  iteration  of  Algorithm  14.98  for  computing  g15.  □ 


1 4.1 00  Remark  ( addition  chains  and  binary  representations)  Given  the  binary  representation  of 
an  exponent  e,  it  is  a relatively  simple  task  to  construct  an  addition  chain  directly  from  this 
representation.  Chains  constructed  in  this  way  generally  do  not  provide  the  shortest  addition 
chain  possible  for  the  given  exponent.  The  methods  for  exponentiation  described  in  § 14.6.1 
could  be  phrased  in  terms  of  addition  chains,  but  this  is  typically  not  done. 

1 4.1 01  Note  (computational  efficiency  of  addition  chain  exponentiation)  Given  an  addition  chain 
of  length  s for  the  positive  integer  e.  Algorithm  14.98  computes  ge  for  any  g £ G,  g f 1, 
using  exactly  s multiplications. 

14.102  Fact  If/  is  the  length  of  a shortest  addition  chain  for  a positive  integer  e,  then  Z>(lge  + 
lg  wt(e)  — 2.13),  where  wt(e)  is  the  number  of  l’s  in  the  binary  representation  of  e.  An 
upper  bound  of  ( [_lg  ej  + wt(e)  — 1)  is  obtained  by  constructing  an  addition  chain  for  e 
from  its  binary  representation.  Determining  a shortest  addition  chain  for  e is  known  to  be 
an  NP-hard  problem. 
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(ii)  Vector-addition  chains 

Algorithms  14.88  and  14.104  are  useful  for  computing  g^fg^1  ■ ■ ■ g^_ T-f  where  go,gi,-  ■ ■ , 
gtc-i  are  arbitrary  elements  in  a group  G and  eo,  e\, . . . , e^-i  are  fixed  positive  integers. 
These  algorithms  can  also  be  used  to  advantage  when  the  exponents  are  not  necessarily  fixed 
values  (see  Note  14.91).  Algorithm  14.104  makes  use  of  vector-addition  chains. 

14.103  Definition  Let  s and  k be  positive  integers  and  let  v,  denote  a ^-dimensional  vector  of 
non-negative  integers.  An  ordered  set  V = {'c,  : k + 1 < i < s}  is  called  a vector- 

addition  chain  of  length  s and  dimension  k if  V satisfies  the  following: 

(i)  Each  Vi,  — k + 1 < i < 0,  has  a 0 in  each  coordinate  position,  except  for  coordinate 
position  i + k — 1,  which  is  a 1.  (Coordinate  positions  are  labeled  0 through  k — 1.) 

(ii)  For  each  t’,,  1 < i < s,  there  exists  an  associated  pair  of  integers  in,  = (ii,  i-> ) such 
that  — k + 1 < i\,  i?  < i and  = Vi1  + u,;2  ( ii  = 12  is  allowed). 

Example  14.105  illustrates  a sample  vector-addition  chain.  Let  V = {'c,  : k + 1 < 

i < .s}  be  a vector-addition  chain  of  length  s and  dimension  k with  associated  sequence 
w\, . . . ,ws.  Algorithm  14.104  computes  g^g^1  ■ ■ ■ g^Ei  where  vs  = (eo,  ei, . . . , e^-i). 


14.104  Algorithm  Vector-addition  chain  exponentiation 

INPUT:  group  elements  go,gi,.  ■ ■ , gu- 1 and  a vector-addition  chain  V of  length  s and  di- 
mension k with  associated  sequence  wi, . . . , ws,  where  Wj  = (ii,  i2). 

OUTPUT:  g^gl1  ■ ■ ■ g'^  where  vs  = (e0,  ei, . . . , ek-i). 

1.  For  i from  (— k + 1)  to  0 do:  a^-t—  gi+k-i- 

2.  For  i from  1 to  s do:  a.;<—  ■ a,;2 . 

3.  Return(as). 


14.105  Example  (vector-addition  chain  exponentiation)  A vector-addition  chain  V of  lengths  = 
9 and  dimension  k = 3 is  displayed  in  the  following  table. 


V-2 

V-l 

v7 

V8 

r>9 

1 

0 

0 

1 

2 

2 

3 

5 

6 

12 

15 

30 

0 

1 

0 

0 

0 

1 

1 

2 

2 

4 

5 

10 

0 

0 

1 

1 

2 

2 

2 

4 

5 

10 

12 

24 

The  following  table  displays  the  values  of  w,  and  a , during  each  iteration  of  step  2 in  Al- 
gorithm 14.104  for  computing  Vo°Vi°<7|4.  Nine  multiplications  are  required.  □ 


2 

3 

4 

5 

6 

7 

8 

9 

(-2,0) 

(i,i) 

(-1,2) 

(-2,3) 

(3,4) 

(1,5) 

(6,6) 

(4,7) 

(8,8) 

go  32 

1 

glglgl 

go’gigf 

So5SiS22 

3o°Si°924 

14.106  Note  ( computational  efficiency  of  vector-addition  chain  exponentiation) 

(i)  ( multiplications ) Algorithm  14.104  performs  exactly  s multiplications  for  a vector- 
addition  chain  of  length  s.  To  compute  g^f  gf  • • • g^L j1  using  Algorithm  14. 104,  one 
would  like  to  find  a vector-addition  chain  of  length  s and  dimension  k with  vs  — 
(eo,  ei, . . . , ek-i),  where  s is  as  small  as  possible  (see  Fact  14.107). 
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(ii)  ( storage ) Algorithm  14.104  requires  intermediate  storage  for  the  elements  a,;,  — k + 
1 < i < t,  at  the  t'Al  iteration  of  step  2.  If  not  all  of  these  are  required  for  succeeding 
iterations,  then  they  need  not  be  stored.  Algorithm  14.88  provides  a special  case  of 
Algorithm  14.104  where  the  intermediate  storage  is  no  larger  than  2k  — 1 vectors  of 
dimension  k. 

14.107  Fact  The  minimum  value  of  s in  Note  14.106(1)  satisfies  the  following  bound,  where  M = 
max{ej  : 0 <i  < k — 1}  and  c is  a constant: 

s k — 1 + lg  M + ck  ■ lg  M/  lg  lg(M  + 2). 

14.108  Example  ( vector-addition  chains  from  binary  representations)  The  vector-addition  chain 

implicit  in  Algorithm  14.88  is  not  necessarily  of  minimum  length.  The  vector-addition 
chain  associated  with  Example  14.89  is  displayed  in  Table  14.18.  This  chain  is  longer  than 
the  one  used  in  Example  14.105.  The  advantage  of  Algorithm  14.88  is  that  the  vector- 
addition  chain  does  not  have  to  be  explicitly  provided  to  the  algorithm.  In  view  of  this. 
Algorithm  14.88  can  be  applied  more  generally  to  situations  where  the  exponents  are  not 
necessarily  fixed.  □ 


V—2 

V-l 

^0 

Vl 

V2 

V3 

V4 

^5 

VQ 

V7 

V8 

VQ 

^10 

l 

0 

0 

l 

l 

l 

2 

3 

6 

7 

14 

15 

30 

0 

i 

0 

l 

l 

0 

0 

1 

2 

2 

4 

5 

10 

0 

0 

1 

0 

l 

i 

2 

3 

6 

6 

12 

12 

24 

Table  14.18:  Binary  vector-addition  chain  exponentiation  (see  Example  14.108). 


14.6.3  Fixed-base  exponentiation  algorithms 

Three  methods  are  presented  for  exponentiation  when  the  base  g is  fixed  and  the  exponent 
e varies.  With  a fixed  base,  precomputation  can  be  done  once  and  used  for  many  exponen- 
tiations. For  example,  Diffie-Hellman  key  agreement  (Protocol  12.47)  requires  the  compu- 
tation of  ax,  where  a is  a fixed  element  in  Z*. 

For  each  of  the  algorithms  described  in  this  section,  {&o,  &i , ■ ■ • , h}  is  a set  of  integers 
for  some  t > 0,  such  that  any  exponent  e > 1 (suitably  bounded)  can  be  written  as  e — 
where  0 < e,  < h for  some  fixed  positive  integer  h.  For  example,  if  e is  any 
(t  + l)-digit  base  b integer  with  b > 2,  then  bi  = bl  and  h = b are  possible  choices. 

Algorithms  14.109  and  14.113  are  two  fixed-base  exponentiation  methods.  Both  re- 
quire precomputation  of  the  exponentials  gb° , gbl ,.. . , gbt,  e.g.,  using  one  of  the  algorithms 
from  §14.6.1.  The  precomputation  needed  for  Algorithm  14.117  is  more  involved  and  is  ex- 
plicitly described  in  Algorithm  14.116. 

(i)  Fixed-base  windowing  method 

Algorithm  14.109  takes  as  input  the  precomputed  exponentials  g,  = gbi , 0 < i < t,  and 
positive  integers  h and  e = Y^l= o where  0 e*  < h,  0 < i < t . The  basis  for  the 

algorithm  is  the  observation  that  ge  = (l  gf‘  = [Ij  i ill.  ,•  9i)j  ■ 
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14.109  Algorithm  Fixed-base  windowing  method  for  exponentiation 

INPUT:  {gbfgbl , . . . , gbt },  e = £ *=0  eA,  and  h, 

OUTPUT:  ge. 

1.  A<-1,  B<r- 1. 

2.  For  j from  ( h — 1)  down  to  1 do  the  following: 

2.1  For  each  i for  which  e*  = j do:  B^B  ■ gbi . 

2.2  A<-A  ■ B. 

3.  Return*  ,4). 


14.1 10  Example  (fixed-base  windowing  exponentiation ) Precompute  the  group  elements  g1,  g4, 
g16,  g64,  p256.  To  compute  ge  for  e = 862  = (31 132)4,  take  t = 4,  h = 4,  and  = 4*  for 
0 < i < 4,  in  Algorithm  14. 109.  The  following  table  displays  the  values  of  A and  B at  the 
end  of  each  iteration  of  step  2.  □ 


3 

- 

3 

2 

l 

B 

1 

V56  = g260 

g26°g  = 

g261 

g26V6g64 

= 9341 

A 

1 

g260 

g2e°g261 

= g521 

g521g341  = 

= g862 

14.1 1 1 Note  (computational  efficiency  of  fixed-base  windowing  exponentiation) 

(i)  (number  of  multiplications)  Suppose  t + h > 2.  Only  multiplications  where  both 
operands  are  distinct  from  1 are  counted.  Step  2.2  is  executed  h—  1 times,  but  at  least 
one  of  these  multiplications  involves  an  operand  with  value  1 (A  is  initialized  to  1). 
Since  B is  also  initially  1,  at  most  t multiplications  are  done  in  step  2.1.  Thus,  Algo- 
rithm 14.109  computes  ge  with  at  most  t + h — 2 multiplications  (cf.  Note  14.112). 

(ii)  (storage)  Storage  is  required  for  the  t + 1 group  elements  g,,  0 < i < t. 

14.1 12  Note  (a  particular  case)  The  most  obvious  application  of  Algorithm  14.109  is  the  case 

where  the  exponent  e is  represented  in  radix  b.  If  e = efi1,  then  9i  = 9b\  0 <i<t, 

are  precomputed.  If  e is  randomly  selected  from  {0, 1, . . . , m — 1},  then  t+1  < [Tog6  to] 
and,  on  average,  £ of  the  base  b digits  in  e will  be  0.  In  this  case,  the  expected  number  of 
multiplications  is  [logb  to]  + b — 3.  If  m is  a 512-bit  integer  and  b = 32,  then  128.8 
multiplications  are  needed  on  average,  132  in  the  worst  case;  103  values  must  be  stored. 

(ii)  Fixed-base  Euclidean  method 

Let  {xo,  x\. . . . , xt}  be  a set  of  integers  with  t > 2.  Define  M to  be  an  integer  in  the 
interval  [0,  t)  such  that  x m > x-i  for  all  0 < i < t.  Define  N to  be  an  integer  in  the  interval 
[0,  t],  N f M,  such  that  e jy  > e,-  for  all  0 < i < t,  i f M. 


14.113  Algorithm  Fixed-base  Euclidean  method  for  exponentiation 

INPUT:  {gh°,gbl , . . . , gbt } and  e = £*=o  eA. 

OUTPUT:  ge. 

1.  For  i from  0 to  t do  the  following:  gi<—gbi,  Xj-s— e*. 

2.  Determine  the  indices  M and  N for  {xo,  xi, . . . ,xt}. 

3.  While  x,v  f 0 do  the  following: 

3.1  q<r-  [xM/xN\,  9N^{9M)q  ’ 9n,  xm^xm  mod  xjg. 
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3.2  Determine  the  indices  M and  N for  {xg,xi, ...  , xt.}. 
4.  Return (g™). 


14.114  Example  (fixed-base  Euclidean  method)  This  example  repeats  the  computation  of  ge , e = 
862  done  in  Example  14.1 10,  but  now  uses  Algorithm  14.1 13.  Take  bo  = 1,  bi  = 16,  62  = 
256.  Then  e = (3,5, 14)i6-  Precompute  g1,  gle,  g25e.  Table  14.19  illustrates  the  steps 
performed  by  Algorithm  14.113.  Notice  that  for  this  example.  Algorithm  14.113  does  8 


Xo 

Xl 

X2 

M 

N 

q 

9o 

9i 

92 

14 

5 

3 

0 

1 

2 

9 

to 

00 

g256 

4 

5 

3 

1 

0 

1 

9 19 

00 

g256 

4 

1 

3 

0 

2 

1 

t?19 

00 

g275 

1 

1 

3 

2 

1 

3 

919 

9s43 

g275 

1 

1 

0 

0 

1 

1 

919 

gS02 

g275 

0 

1 

0 

1 

0 

- 

919 

9 862 

g275 

Table  14.19:  Fixed-base  Euclidean  method  to  compute  g 862  (see  Example  14.114). 


multiplications,  whereas  Algorithm  14.109  needs  only  6 to  do  the  same  computation.  Stor- 
age requirements  for  Algorithm  14.113  are,  however,  smaller.  The  vector-addition  chain 
(Definition  14.103)  corresponding  to  this  example  is  displayed  in  the  following  table.  □ 


V-2 

V-l 

vo 

Vl 

V2 

^3 

v4 

V5 

V6 

v 7 

vs 

1 

0 

0 

2 

2 

3 

3 

6 

9 

11 

14 

0 

1 

0 

0 

1 

1 

1 

2 

3 

4 

5 

0 

0 

1 

0 

0 

0 

1 

2 

3 

3 

3 

14.115  Note  (fixed  -base  Euclidean  vs.  fixed-base  windowing  methods) 

(i)  In  most  cases,  the  quotient  q computed  in  step  3.1  of  Algorithm  14.113  is  1.  For  a 
given  base  b,  the  computational  requirements  of  this  algorithm  are  not  significantly 
greater  than  those  of  Algorithm  14.109. 

(ii)  Since  the  division  algorithm  is  logarithmic  in  the  size  of  the  inputs.  Algorithm  14.113 
can  take  advantage  of  a larger  value  of  h than  Algorithm  14.109.  This  results  in  less 
storage  for  precomputed  values. 

(iii)  Fixed-base  comb  method 

Algorithm  14.117  computes  ge  where  e = (et.et- 1 • • • eieo)2,  t > 1.  Select  an  integer  h , 
1 < I)  < l ■ 1 and  compute  a = \(t.  + l)//i] . Select  an  integer  v,  1 < v < a,  and  compute 
b = \a/v\.  Clearly,  ah  > t + 1.  Let  X = Rh-i\\Rh-2\\  ■ ■ • ||-Ro  be  a bitstring  formed 
from  e by  padding  (if  necessary)  e on  the  left  with  0’s,  so  that  X has  bitlength  ah  and  each 
Rj , 0 < if  < h 1,  is  a bitstring  of  length  a.  Form  an  h x a array  EA  (called  the  exponent 
array)  where  row  i of  EA  is  the  bitstring  R, , 0 < i < h — 1.  Algorithm  14.116  is  the 
precomputation  required  for  Algorithm  14.117. 
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14.116  Algorithm  Precomputation  for  Algorithm  14.117 

INPUT:  group  element  g and  parameters  h,  v,  a,  and  b (defined  above). 

OUTPUT:  {G[j][i]  : 1 < i < 2h,  0 < j < v}. 

1.  For  i from  0 to  (h  — 1)  do:  gj  ^g2  "' . 

2.  For  i from  1 to  ( 2h  — 1)  (where  i = (ih-i  ■ ■ ■ (0)2).  do  the  following: 

2.1  G|o;i*  nj 

2.2  For  j from  1 to  (v  — 1)  do:  (G[0][i])2Ji>. 

3.  Return({G[j] [*]  : 1 < i < 2h,  0 < j < u}). 

Let  Ij  k,  0 < k < b.  0 < j < v,  be  the  integer  whose  binary  representation  is  column 
( jb  + k)  of  EA,  where  column  0 is  on  the  right  and  the  least  significant  bits  of  a column  are 
at  the  top. 


14.117  Algorithm  Fixed-base  comb  method  for  exponentiation 

INPUT:  g , e and  {G[j][i]  : 1 < i < 2h,  0 < j < v}  (precomputed  in  Algorithm  14.116). 
OUTPUT:  //. 

1.  A<r~  1. 

2.  For  k from  ( b — 1)  down  to  0 do  the  following: 

2.1  A<-A-A. 

2.2  For  j from  (v  — 1)  down  to  0 do:  A<—  G\j][Ijyk\  1 A. 

3.  Return(A). 


14.1 18  Example  (fixed-base  comb  method  for  exponentiation ) Let  t = 9 and  h = 3;  then  a = 
[10/3]  = 4.  Let  v = 2;  then  6 = n/p  j = 2.  Suppose  the  exponent  input  to  Algo- 
rithm 14.117  is  e = (egeg  ■ ■ ■ eieo)2-  Form  the  bitstring  X = xnxio  ■ ■ ■ xixg  where 
x-i  = e, , 0 < i < 9,  and  xn  = xk,  = 0.  The  following  table  displays  the  exponent 
array  EA. 


T— 1 

h,0 

Io,o 

X3 

X2 

Xl 

Xo 

X7 

Xq 

X5 

X4 

Xu 

XlO 

Xg 

x8 

The  precomputed  values  from  Algorithm  14. 116  are  displayed  below.  Recall  that  gi  = g2  "\ 
0 < i < 3. 


i 

1 

2 

3 

4 

5 

6 

7 

G[0][i] 

go 

gi 

gigo 

gi 

gigo 

gigi 

gigigo 

g[  m 

go 

gi 

4 4 

9i9o 

gi 

4 4 
929o 

4 4 
929i 

4 4 4 

929i9o 

Finally,  the  following  table  displays  the  steps  in  Algorithm  14.117  for  EA. 


A = glgglfgl2 

Q 

D 

h 

h 

h 

0 

0 

0 

B 

4x3 

4x7 

iH 

B 

0 

4x3  + Xl 

4x7  + X5 

4xn  + Xg 

0 

- 

8x3  + 2xi 

8x7  + 2x5 

8x11  + 2xg 

0 

1 

8x3  + 2xi  + 4x2 

8x7  + 2x5  + 4x6 

8x11  + 2xg  + 4xio 

0 

0 

8x3  + 2xi  + 4x2  + x0 

8x7  + 2X5  + 4X6  + X4 

8x11  4-  2xg  + 4xio  + x8 
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The  last  row  of  the  table  corresponds  to  Xi 2’  = ge.  □ 

14.1 19  Note  ( computational  efficiency  of  fixed-base  comb  method) 

(i)  ( number  of  multiplications)  Algorithm  14. 1 17  requires  at  most  one  multiplication  for 
each  column  of  EA.  The  right-most  column  of  EA  requires  a multiplication  with  the 
initial  value  1 of  the  accumulator  A.  The  algorithm  also  requires  a squaring  of  the 
accumulator  A for  each  k,  0 < k < b,  except  for  k = b — 1 when  A has  value 
1.  Discounting  multiplications  by  1,  the  total  number  of  non-trivial  multiplications 
(including  squarings)  is,  at  most,  a + b — 2. 

(ii)  ( storage ) Algorithm  14.117  requires  storage  for  the  v(2h  — 1)  precomputed  group 
elements  (Algorithm  14.116).  If  squaring  is  a relatively  simple  operation  compared 
to  multiplication  in  the  group,  then  some  space-saving  can  be  achieved  by  storing 
only  2h  — 1 group  elements  (i.e.,  only  those  elements  computed  in  step  2.1  of  Algo- 
rithm 14.116). 

(iii)  ( trade-offs ) Since  h and  v are  independent  of  the  number  of  bits  in  the  exponent,  se- 
lection of  these  parameters  can  be  made  based  on  the  amount  of  storage  available  vs. 
the  amount  of  time  (determined  by  multiplication)  to  do  the  computation. 


14.7  Exponent  recoding 

Another  approach  to  reducing  the  number  of  multiplications  in  the  basic  repeated  square- 
and-multiply  algorithms  (§  14.6. 1)  is  to  replace  the  binary  representation  of  the  exponent  e 
with  a representation  which  has  fewer  non-zero  terms.  Since  the  binary  representation  is 
unique  (Fact  14.1),  finding  a representation  with  fewer  non-zero  components  necessitates 
the  use  of  digits  besides  0 and  1.  Transforming  an  exponent  from  one  representation  to  an- 
other is  called  exponent  recoding.  Many  techniques  for  exponent  recoding  have  been  pro- 
posed in  the  literature.  This  section  describes  two  possibilities:  signed-digit  representation 
(§14.7.1)  and  string-replacementrepresentation  (§14.7.2). 


14.7.1  Signed-digit  representation 

14.120  Definition  If  e = Yll-o  d,:2*  where  d,  e {0, 1,  —1},  0 < i < t,  then  (dt  ■ ■ -did0)sD  is 
called  a signed-digit  representation  with  radix  2 for  the  integer  e. 

Unlike  the  binary  representation,  the  signed-digit  representation  of  an  integer  is  not 
unique.  The  binary  representation  is  an  example  of  a signed-digit  representation.  Let  e be  a 
positive  integer  whose  binary  representation  is  ( et+ietet-i  ■ ■ ■ eieo)2,  with  et+i  = et  = 0. 
Algorithm  14.121  constructs  a signed-digit  representation  for  e having  at  most  t + 1 digits 
and  the  smallest  possible  number  of  non-zero  terms. 
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14.121  Algorithm  Signed-digit  exponent  recoding 

INPUT:  a positive  integer  e = (et+iejet-i  • • • eieo)2  with  et+ 1 = et  = 0. 

OUTPUT:  a signed-digit  representation  (dt  ■ ■ ■ (h  d0 ) sd  for  e.  (See  Definition  14. 120.) 

1.  C(+ — 0. 

2.  For  i from  0 to  t do  the  following: 

2.1  [(ej  + ej+i  + q)/2J , di<r- e*  + c*  — 2cj-|_i. 

3.  Return*  (dt  ■ ■ ■ tMo)s.o). 


14.1 22  Example  ( signed-digit  exponent  recoding ) Table  14.20  lists  all  possible  inputs  to  the  ith 
iteration  of  step  2,  and  the  corresponding  outputs.  If  e = (1101110111)2,  then  Algo- 
rithm 14.121  produces  the  signed-digit  representation  e = (10010001001)sd  where  1 = 

1.  □ 


= 29  + 2 

8 + 26 

+ 25 

+ 24 

+ 22 

+ 2 + 1 

o 

I— 1 

CN 

ii 

— 27 

-2 

inputs 

et 

0 

0 

0 

0 

1 

l 

1 

1 

Ci 

0 

0 

1 

1 

0 

0 

1 

1 

e<+i 

0 

1 

0 

1 

0 

1 

0 

1 

outputs 

Ci+l 

0 

0 

0 

1 

0 

1 

1 

1 

di 

0 

0 

1 

-1 

1 

-1 

0 

0 

Table  14.20:  Signed-digit  exponent  recoding  ( see  Example  14.122). 


1 4.1 23  Definition  A signed-digit  representation  of  an  integer  e is  said  to  be  sparse  if  no  two  non- 
zero entries  are  adjacent  in  the  representation. 

14.124  Fact  (sparse  signed-digit  representation) 

(i)  Every  integer  e has  a unique  sparse  signed-digit  representation. 

(ii)  A sparse  signed-digit  representation  for  e has  the  smallest  number  of  non-zero  entries 
among  all  signed-digit  representations  for  e. 

(iii)  The  signed-digit  representation  produced  by  Algorithm  14.121  is  sparse. 

1 4.1 25  Note  ( computational  efficiency  of  signed-digit  exponent  recoding) 

(i)  Signed-digit  exponent  recoding  as  per  Algorithm  14.121  is  very  efficient,  and  can  be 
done  by  table  look-up  (using  Table  14.20). 

(ii)  When  e is  given  in  a signed-digit  representation,  computing  ge  requires  both  g and 
g 1 . If  g is  a fixed  base,  then  g 1 can  be  precomputed.  For  a variable  base  g,  unless 
g 1 can  be  computed  very  quickly,  recoding  an  exponent  to  signed-digit  representa- 
tion may  not  be  worthwhile. 


14.7.2  String-replacement  representation 

14.126  Definition  Let  k > 1 be  a positive  integer.  A non-negative  integer  e is  said  to  have  a 
k-ary  string-replacement  representation  (ft  ift  2 ■ ■ ■ /i/o) sR(k ),  denoted  SR(k),  if  e = 
T,Vo  fi 2i  and  fi  6 {2j  - 1 : 0 < j < k}  for  0 < * < t — 1. 
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14.127  Example  (non-uniqueness  of  string-replacement  representations ) A string-replacement 

representation  for  a non-negative  integer  is  generally  not  unique.  The  binary  representa- 
tion is  a 1-ary  string-replacementrepresentation.  If  k = 3 and  e = 987  = (1111011011)2, 
then  some  other  string-replacements  of  e are  (303003003)5^(3),  (1007003003) 5^(3) , and 
(71003003)5^(3).  □ 

14.128  Algorithm  fc-ary  string-replacement  representation 

INPUT:  e = (et-iet-2  ■ ■ • eieo)2  and  positive  integer  k > 2. 

OUTPUT:  e = (ft-ift-2  ■ ■ ■ fifo)sR(k)- 

1.  For  i from  k down  to  2 do  the  following:  starting  with  the  most  significant  digit  of 
e = (et_1et_2  ■ ■ ■ 6260)2,  replace  each  consecutive  string  of  i ones  with  a string  of 
length  i consisting  of  i 1 zeros  in  the  high-order  string  positions  and  the  integer 
2*  — 1 in  the  low-order  position. 

2.  Return( (ft-ift-2  ■ ■ ■ fifo)sR(k))- 

14.129  Example  (k-ary  string-replacement)  Suppose  e = (110111110011101)2  and  k = 3.  The 

SR( 3)  representations  of  e at  the  end  of  each  of  the  two  iterations  of  Algorithm  14.128  are 
(110007110000701)5^(3)  and  (030007030000701)5^(3).  □ 

14.130  Algorithm  Exponentiation  using  an  SR(k)  representation 

INPUT:  an  integer  k > 2,  an  element  g E G,  and  e = {ft-ift-2  ■ ■ ■ fifo)sR(k)- 
OUTPUT:  ge. 

1.  Precomputation.  Set  gi*—g.  For  i from  2 to  k do:  {g2i~1-i)2  ■ 9- 

2.  Air- 1. 

3.  For  i from  (t  — 1)  down  to  0 do  the  following: 

3.1  Ai-A-A. 

3.2  If  rf  0 then  A<—A  ■ gfi . 

4.  Return(A). 

14.131  Example  ( SR(k ) v;s.  left-to-right  binary  exponentiation)  Let  e = 987  = (1111011011)2 

and  consider  the  3-ary  string-replacement  representation  (0071003003)5^(3).  Computing 
ge  using  Algorithm  14.79  requires  9 squarings  and  7 multiplications.  Algorithm  14.130 
requires  2 squarings  and  2 multiplications  for  computing  g3  and  g ' , and  then  7 squarings 
and  3 multiplications  for  the  main  part  of  the  algorithm.  In  total,  the  SR( 3)  for  e computes 
ge  with  9 squarings  and  5 multiplications.  □ 

14.1 32  Note  ( computational  efficiency  of  Algorithm  14.130 ) The  precomputation  requires  k 1 
squarings  and  k 1 multiplications.  Algorithm  14.128  is  not  guaranteed  to  produce  an 
SR(k)  representation  with  a minimum  number  of  non-zero  entries,  but  in  practice  it  seems 
to  give  representations  which  are  close  to  minimal.  Heuristic  arguments  indicate  that  a ran- 
domly selected  i-bit  exponent  will  be  encoded  with  a suitably  chosen  value  of  k to  an  SR(k ) 
representation  having  about  t/ 4 non-zero  entries ; hence,  one  expects  to  perform  t — 1 squar- 
ings in  step  3,  and  about  i/4  multiplications. 
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14.8  Notes  and  further  references 

§14.1 

This  chapter  deals  almost  exclusively  with  methods  to  perform  operations  in  the  integers 
and  the  integers  modulo  some  positive  integer.  When  p is  a prime  number,  is  called  a 
finite  field  (Fact  2.184).  There  are  other  finite  fields  which  have  significance  in  cryptogra- 
phy. Of  particular  importance  are  those  of  characteristic  two,  ¥■>'» . Perhaps  the  most  useful 
property  of  these  structures  is  that  squaring  is  a linear  operator  (i.e.,  if  a,  (3  e ¥2™,  then 
( a + (3 )2  — a2  |-  ft1).  This  property  leads  to  efficient  methods  for  exponentiation  and  for 
inversion.  Characteristic  two  finite  fields  have  been  used  extensively  in  connection  with 
error-correcting  codes;  for  example,  see  Berlekamp  [118]  and  Lin  and  Costello  [769].  For 
error-correcting  codes,  m is  typically  quite  small  (e.g.,  1 < m < 16);  for  cryptographic 
applications,  m is  usually  much  larger  (e.g.,  m > 100). 

The  majority  of  the  algorithms  presented  in  this  chapter  are  best  suited  to  software  imple- 
mentations. There  is  a vast  literature  on  methods  to  perform  modular  multiplication  and 
other  operations  in  hardware.  The  basis  for  most  hardware  implementations  for  modular 
multiplication  is  efficient  methods  for  integer  addition.  In  particular,  carry-save  adders  and 
delayed-carry  adders  are  at  the  heart  of  the  best  methods  to  perform  modular  multiplica- 
tion. The  concept  of  a delayed-carry  adder  was  proposed  by  Norris  and  Simmons  [933]  to 
produce  a hardware  modular  multiplier  which  computes  the  product  of  two  f-bit  operands 
modulo  a t- bit  modulus  in  2 1 clock  cycles.  Brickell  [199]  improved  the  idea  to  produce  a 
modular  multiplier  requiring  only  t + 7 clock  cycles.  Enhancements  of  Brickell’s  method 
were  given  by  Walter  [1230].  K05  [699]  gives  a comprehensive  survey  of  hardware  meth- 
ods for  modular  multiplication. 

§14.2 

For  a treatment  of  radix  representations  including  mixed-radix  representations,  see  Knuth 
[692].  Knuth  describes  efficient  methods  for  performing  radix  conversions.  Representing 
and  manipulating  negative  numbers  is  an  important  topic;  for  an  introduction,  consult  the 
book  by  Koren  [706]. 

The  techniques  described  in  § 14.2  are  commonly  referred  to  as  the  classical  algorithms  for 
multiple-precision  addition,  subtraction,  multiplication,  and  division.  These  algorithms  are 
the  most  useful  for  integers  of  the  size  used  for  cryptographic  purposes.  For  much  larger  in- 
tegers (on  the  order  of  thousands  of  decimal  digits),  more  efficient  methods  exist.  Although 
not  of  current  practical  interest,  some  of  these  may  become  more  useful  as  security  require- 
ments force  practitioners  to  increase  parameter  sizes.  The  Karatsuba-Ofman  method,  de- 
scribed next,  is  practical  in  some  situations. 

The  classical  algorithm  for  multiplication  (Algorithm  14.12)  takes  0(n2)  bit  operations  for 
multiplying  two  ?r-bit  integers.  A recursive  algorithm  due  to  Karatsuba  and  Ofman  [661] 
reduces  the  complexity  of  multiplying  two  ?r-bit  integers  to  0(n158).  This  divide-and- 
conquer  method  is  based  on  the  following  simple  observation.  Suppose  that  x and  y are  n- 
bit  integers  and  n = 2 1.  Then  x = 2tx\  +xq  and  y = 2*yi  +yo,  where  x± , y±  are  the  t high- 
order  bits  of  x and  y,  respectively,  and  xq,  yo  are  the  t low -order  bits.  Furthermore,  x ■ y = 
u222t  +ui2*  + w0  where  u0  = x0-y0,u2  = x1-y1  andui  = (x0  + xi)- (y0  +yi)  ~u0  —u2. 
It  follows  that  x ■ y can  be  computed  by  performing  three  multiplications  of  t-bit  integers 
(as  opposed  to  one  multiplication  with  2f-bit  integers)  along  with  two  additions  and  two 
subtractions.  For  large  values  of  t,  the  cost  of  the  additions  and  subtractions  is  insignifi- 
cant relative  to  the  cost  of  the  multiplications.  With  appropriate  modifications,  uq.  u\  and 
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(x'o  + xi)  ■ (yo  + yi)  can  each  be  computed  similarly.  This  procedure  is  continued  on  the 
intermediate  values  until  the  size  of  the  integers  reaches  the  word  size  of  the  computing  de- 
vice, and  multiplication  can  be  efficiently  accomplished.  Due  to  the  recursive  nature  of  the 
algorithm,  a number  of  intermediate  results  must  be  stored  which  can  add  significant  over- 
head, and  detract  from  the  algorithm’s  efficiency  for  relatively  small  integers.  Combining 
the  Karatsuba-Ofman  method  with  classical  multiplication  may  have  some  practical  signif- 
icance. For  a more  detailed  treatment  of  the  Karatsuba-Ofman  algorithm,  see  Knuth  [692], 
Kog  [698],  and  Geddes,  Czapor,  and  Labahn  [445], 

Another  commonly  used  method  for  multiple-precision  integer  multiplication  is  the  discrete 
Fourier  transform  ( DFT).  Although  mathematically  elegant  and  asymptotically  better  than 
the  classical  algorithm,  it  does  not  appear  to  be  superior  for  the  size  of  integers  of  practical 
importance  to  cryptography.  Lipson  [770]  provides  a well-motivated  and  easily  readable 
treatment  of  this  method. 

The  identity  given  in  Note  14.18  was  known  to  Karatsuba  and  Ofman  [661], 

§14.3 

There  is  an  extensive  literature  on  methods  for  multiple-precision  modular  arithmetic.  A 
detailed  treatment  of  methods  for  performing  modular  multiplication  can  be  found  in  Knuth 
[692].  Kog  [698]  and  Bosselaers,  Govaerts,  and  Vandewalle  [176]  provide  comprehensive 
but  brief  descriptions  of  the  classical  method  for  modular  multiplication. 

Montgomery  reduction  (Algorithm  14.32)  is  due  to  Montgomery  [893],  and  is  one  of  the 
most  widely  used  methods  in  practice  for  performing  modular  exponentiation  (Algorithm 
14.94).  Dusse  and  Kaliski  [361]  discuss  variants  of  Montgomery’s  method.  Montgomery 
reduction  is  a generalization  of  a much  older  technique  due  to  Flensel  (see  Shand  and 
Vuillemin  [1119]  and  Bosselaers,  Govaerts,  and  Vandewalle  [176]).  Flensel’s  observation 
is  the  following.  If  m is  an  odd  positive  integer  less  than  2k  ( k a positive  integer)  and  T is 
some  integer  such  that  2 k < T < 22fc,  then  Ro  = (T  + qom)/2,  where  qo  = T mod  2 
is  an  integer  and  Rq  = T 2_1  mod  m.  More  generally,  R,,  = (R4-1  + qi.m)/ 2,  where 
qi  = R4-1  mod  2 is  an  integer  and  Ri  = N 2~*+1  mod  to.  Since  T < 22k,  it  follows  that 

Rk-i  < 2m. 

Barrett  reduction  (Algorithm  14.42)  is  due  to  Barrett  [75].  Bosselaers,  Govaerts,  and  Van- 
dewalle [176]  provide  a clear  and  concise  description  of  the  algorithm  along  with  motiva- 
tion and  justification  for  various  choices  of  parameters  and  steps,  and  compare  three  alter- 
native methods:  classical  (§  14.3. 1),  Montgomery  reduction  (§  14.3.2),  and  Barrett  reduction 
(§  14.3.3).  This  comparison  indicates  that  there  is  not  a significant  difference  in  performance 
between  the  three  methods,  provided  the  precomputation  necessary  for  Montgomery  and 
Barrett  reduction  is  ignored.  Montgomery  exponentiation  is  shown  to  be  somewhat  better 
than  the  other  two  methods.  The  conclusions  are  based  on  both  theoretical  analysis  and 
machine  implementation  for  various  sized  moduli.  Kog,  Acar,  and  Kaliski  [700]  provide  a 
more  detailed  comparison  of  various  Montgomery  multiplication  algorithms;  see  also  Nac- 
cache,  M’Rai'hi,  and  Raphaeli  [915],  Naccache  and  M’silti  [917]  provide  proofs  for  the 
correctness  of  Barrett  reduction  along  with  a possible  optimization. 

Mohan  and  Adiga  [890]  describe  a special  case  of  Algorithm  14.47  where  6=2. 

Hong,  Oh,  and  Yoon  [561]  proposed  new  methods  for  modular  multiplication  and  modu- 
lar squaring.  They  report  improvements  of  50%  and  30%,  respectively,  on  execution  times 
over  Montgomery’s  method  for  multiplication  and  squaring.  Their  approach  to  modular 
multiplication  interleaves  multiplication  and  modular  reduction  and  uses  precomputed  ta- 
bles such  that  one  operand  is  always  single-precision.  Squaring  uses  recursion  and  pre- 
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computed  tables  and,  unlike  Montgomery’s  method,  also  integrates  the  multiplication  and 
reduction  steps. 

The  binary  gcd  algorithm  (Algorithm  14.54)  is  due  to  Stein  [1170],  An  analysis  of  the  al- 
gorithm is  given  by  Knuth  [692],  Harris  [542]  proposed  an  algorithm  for  computing  gcd's 
which  combines  the  classical  Euclidean  algorithm  ( Algorithm  2. 104)  and  binary  operations; 
the  method  is  called  the  binary  Euclidean  algorithm. 

Lehmer’s  gcd  algorithm  ( Algorithm  14.57),  due  to  Lehrner  [743],  determines  the  gcd  of  two 
positive  multiple-precision  integers  using  mostly  single-precision  operations.  This  has  the 
advantage  of  using  the  hardware  divide  in  the  machine  and  only  periodically  resorting  to 
an  algorithm  such  as  Algorithm  14.20  for  a multiple-precision  divide.  Knuth  [692]  gives  a 
comprehensive  description  of  the  algorithm  along  with  motivation  of  its  correctness.  Co- 
hen [263]  provides  a similar  discussion,  but  without  motivation.  Lehmer’s  gcd  algorithm 
is  readily  adapted  to  the  extended  Euclidean  algorithm  (Algorithm  2.107). 

According  to  Sorenson  [1164],  the  binary  gcd  algorithm  is  the  most  efficient  method  for 
computing  the  greatest  common  divisor.  Jebelean  [633]  suggests  that  Lehmer’s  gcd  algo- 
rithm is  more  efficient.  Sorenson  [1164]  also  describes  a fc-ary  version  of  the  binary  gcd 
algorithm,  and  proves  a worst-case  running  time  of  0(n2 / lg  n)  bit  operations  for  comput- 
ing the  gcd  of  two  n-bit  integers. 

The  binary  extended  gcd  algorithm  was  first  described  by  Knuth  [692],  who  attributes  it  to 
Penk.  Algorithm  14.61  is  due  to  Bach  and  Shallit  [70],  who  also  give  a comprehensive  and 
clear  analysis  of  several  gcd  and  extended  gcd  algorithms.  Norton  [934]  described  a version 
of  the  binary  extended  gcd  algorithm  which  is  somewhat  more  complicated  than  Algorithm 
14.61 . Gordon  [516]  proposed  a method  for  computing  modular  inverses,  derived  from  the 
classical  extended  Euclidean  algorithm  (Algorithm  2.107)  with  multiple -precision  division 
replaced  by  an  approximation  to  the  quotient  by  an  appropriate  power  of  2;  no  analysis  of 
the  expected  running  time  is  given,  but  observed  results  on  moduli  of  specific  sizes  are  de- 
scribed. 

The  Montgomery  inverse  of  a mod  to  is  defined  to  be  ar1 2t  mod  to  where  t is  the  bitlength 
of  to.  Kaliski  [653]  extended  ideas  of  Guyot  [534]  on  the  right-shift  binary  extended  Eu- 
clidean algorithm,  and  presented  an  algorithm  for  computing  the  Montgomery  inverse. 

Let  TOj,  1 < i < t.  be  a set  of  pairwise  relatively  prime  positive  integers  which  define  a 
residue  number  system  (RNS).  If  n = nli  ™i  then  this  RNS  provides  an  effective  method 
for  computing  the  product  of  integers  modulo  n where  the  integers  and  the  product  are  rep- 
resented in  the  RNS.  If  n is  a positive  integer  where  the  to*  do  not  necessarily  divide  n, 
then  a method  for  performing  arithmetic  modulo  n entirely  within  the  RNS  is  not  obvious. 
Couveignes  [284]  and  Montgomery  and  Silverman  [895]  propose  an  interesting  method  for 
accomplishing  this.  Further  research  in  the  area  is  required  to  determine  if  this  approach  is 
competitive  with  or  better  than  the  modular  multiplication  methods  described  in  §14.3. 

Algorithm  14.71  is  due  to  Garner  [443].  A detailed  discussion  of  this  algorithm  and  vari- 
ants of  it  are  given  by  Knuth  [692];  see  also  Cohen  [263],  Algorithm  2.121  for  applying 
the  Chinese  remainder  theorem  is  due  to  Gauss;  see  Bach  and  Shallit  [70].  Gauss’s  algo- 
rithm is  a special  case  of  the  following  result  due  to  Nagasaka,  Shiue,  and  Ho  [918].  The 
solution  to  the  system  of  linear  congruences  x = at  (mod  to;),  1 < i < t,  for  pair- 
wise relative  prime  moduli  m, , is  equivalent  to  the  solution  to  the  single  linear  congru- 
ence iV;'  b,.\I:)x  = j a ;l>,  .\I ; (mod  M)  where  M = JlLi  m?:>  M%  = M/rrii 
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for  1 < i < t,  for  any  choice  of  integers  b{  where  gcd  {pi,  Mi)  = 1.  Notice  that  if 
]T*=1  biMi  = 1 (mod  M),  then  bi  = M,  1 (mod  to*),  giving  the  special  case  discussed 
in  Algorithm  2.121.  Quisquater  and  Couvreur  [1016]  were  the  first  to  apply  the  Chinese 
remainder  theorem  to  RSA  decryption  and  signature  generation. 

Knuth  [692]  and  Bach  and  Shallit  [70]  describe  the  right-to-left  binary  exponentiation  meth- 
od (Algorithm  14.76).  Cohen  [263]  provides  a more  comprehensive  treatment  of  the  right- 
to-left  and  left-to-right  (Algorithm  14.79)  binary  methods  along  with  their  generalizations 
to  the  fc-ary  method.  Kog  [698]  discusses  these  algorithms  in  the  context  of  the  RSA  public- 
key  cryptosystem.  Algorithm  14.92  is  the  basis  for  Blakley’s  modular  multiplication  algo- 
rithm (see  Blakley  [149]  and  Kog  [698]).  The  generalization  of  Blakley’s  method  to  process 
more  than  one  bit  per  iteration  (Note  14.93(iii))  is  due  to  Quisquater  and  Couvreur  [1016]. 
Quisquater  and  Couvreur  describe  an  algorithm  for  modular  exponentiation  which  makes 
use  of  the  generalization  and  precomputed  tables  to  accelerate  multiplication  in  Zm. 

For  a comprehensive  and  detailed  discussion  of  addition  chains,  see  Knuth  [692],  where 
various  methods  for  constructing  addition  chains  (such  as  the  power  tree  and  factor  meth- 
ods) are  described.  Computing  the  shortest  addition  chain  for  a positive  integer  was  shown 
to  be  an  NP-hard  problem  by  Downey,  Leong,  and  Sethi  [360],  The  lower  bound  on  the 
length  of  a shortest  addition  chain  (Fact  14.102)  was  proven  by  Schonhage  [1101]. 

An  addition  sequence  for  positive  integers  a-i  < a->  < ■ ■ ■ < a/,,  is  an  addition  chain  for 
at  in  which  a\,  a->.  . . . , ar-i  appear.  Yao  [1257]  proved  that  there  exists  an  addition  se- 
quence for  cii  < ci2  < ■ ■ ■ < cik  of  length  less  than  lga*,  + ck  ■ lgafc/lglg(afc  + 2) 
for  some  constant  c.  Olivos  [955]  established  a 1-1  correspondence  between  addition  se- 
quences of  length  l for  a\  < <12  < ■ ■ ■ < and  vector-addition  chains  of  length  l + k — 1 
where  vi+k-i  = (01,02, . . . , a/,-).  These  results  are  the  basis  for  the  inequality  given  in 
Fact  14.107.  Bos  and  Coster  [173]  described  a heuristic  method  for  computing  vector- 
addition  chains.  The  special  case  of  Algorithm  14.104  (Algorithm  14.88)  is  attributed  by 
ElGamal  [368]  to  Shamir. 

The  fixed-base  windowing  method  (Algorithm  14.109)  for  exponentiation  is  due  to  Brick- 
ell  et  al.  [204],  who  describe  a number  of  variants  of  the  basic  algorithm.  For  b a positive 
integer,  let  S'  be  a set  of  integers  with  the  property  that  any  integer  can  be  expressed  in  base 
b using  only  coefficients  from  S.  S is  called  a basic  digit  set  for  the  base  b.  Brickell  et  al. 
show  how  basic  digit  sets  can  be  used  to  reduce  the  amount  of  work  in  Algorithm  14.109 
without  large  increases  in  storage  requirements.  De  Rooij  [316]  proposed  the  fixed-base 
Euclidean  method  ( Algorithm  14.113)  for  exponentiation;  compares  this  algorithm  to  Algo- 
rithm 14. 109;  and  provides  a table  of  values  for  numbers  of  practical  importance.  The  fixed- 
base  comb  method  (Algorithm  14.117)  for  exponentiation  is  due  to  Lim  and  Lee  [767].  For 
a given  exponent  size,  they  discuss  various  possibilities  for  the  choice  of  parameters  h and 
v.  along  with  a comparison  of  their  method  to  fixed-base  windowing. 

The  signed-digit  exponent  recoding  algorithm  (Algorithm  14.121)  is  due  to  Reitwiesner 
[1031].  A simpler  description  of  the  algorithm  was  given  by  Hwang  [566].  Booth  [171] 
described  another  algorithm  for  producing  a signed-digit  representation,  but  not  necessar- 
ily one  with  the  minimum  possible  non-zero  components.  It  was  originally  given  in  terms  of 
the  additive  group  of  integers  where  exponentiation  is  referred  to  as  multiplication.  In  this 
case,  —q  is  easily  computed  from  g.  The  additive  abelian  group  formed  from  the  points  on 
an  elliptic  curve  over  a finite  field  is  another  example  where  signed-digit  representation  is 
very  useful  (see  Morain  and  Olivos  [904]).  Zhang  [1267]  described  a modified  signed-digit 
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representation  which  requires  on  average  t/3  multiplications  for  a square-and-multiply  al- 
gorithm for  f-bit  exponents.  A slightly  more  general  version  of  Algorithm  14. 121,  given  by 
J edwab  and  Mitchell  [634] , does  not  require  as  input  a binary  representation  of  the  exponent 
e but  simply  a signed-digit  representation.  For  binary  inputs,  the  algorithms  of  Reitwiesner 
and  Jedwab-Mitchell  are  the  same.  Fact  14.124  is  due  to  Jedwab  and  Mitchell  [634]. 

String-replacement  representations  were  introduced  by  Gollmann,  Flan,  and  Mitchell  [497], 
who  describe  Algorithms  14. 128  and  14. 130.  They  also  provide  an  analysis  of  the  expected 
number  of  non-zero  entries  in  an  SR(k ) representation  for  a randomly  selected  /-hit  expo- 
nent (see  Note  14.132),  as  well  as  a complexity  analysis  of  Algorithm  14.130  for  various 
values  of  t and  k.  Lam  and  Hui  [735]  proposed  an  alternate  string -replacement  algorithm. 
The  idea  is  to  precompute  all  odd  powers  g,  g3,g5, . . . . g2  1 for  some  fixed  positive  in- 
teger k.  Given  a /-hit  exponent  e,  start  at  the  most  significant  bit,  and  look  for  the  longest 
bitstring  of  bitlength  at  most  k whose  last  digit  is  a 1 (i.e.,  this  substring  represents  an  odd 
positive  integer  between  1 and  2k  — 1).  Applying  a left-to-right  square-and-multiply  expo- 
nentiation algorithm  based  on  this  scanning  process  results  in  an  algorithm  which  requires, 
at  most,  \t/k]  multiplications.  Lam  and  Flui  proved  that  as  t increases,  the  average  number 
of  multiplications  approaches  \t/(k  + 1)] . 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


Chapter 


Patents  and  Standards 


Contents  in  Brief 

15.1  Introduction 635 

15.2  Patents  on  cryptographic  techniques 635 

15.3  Cryptographic  standards 645 

15.4  Notes  and  further  references 657 


15.1  Introduction 

This  chapter  discusses  two  topics  which  have  significant  impact  on  the  use  of  cryptogra- 
phy in  practice:  patents  and  standards.  At  their  best,  cryptographic  patents  make  details 
of  significant  new  processes  and  efficient  techniques  publicly  available,  thereby  increas- 
ing awareness  and  promoting  use;  at  their  worst,  they  limit  or  stifle  the  use  of  such  tech- 
niques due  to  licensing  requirements.  Cryptographic  standards  serve  two  important  goals: 
facilitating  widespread  use  of  cryptographically  sound  and  well-accepted  techniques;  and 
promoting  interoperability  between  components  involving  security  mechanisms  in  various 
systems. 

An  overview  of  patents  is  given  in  §15.2.  Standards  are  pursued  in  §15.3.  Notes  and 
further  references  follow  in  §15.4. 


15.2  Patents  on  cryptographic  techniques 

A vast  number  of  cryptographic  patents  have  been  issued,  of  widely  varying  significance 
and  use.  Here  attention  is  focused  on  a subset  of  these  with  primary  emphasis  on  unexpired 
patents  of  industrial  interest,  involving  fundamental  techniques  and  specific  algorithms  and 
protocols.  In  addition,  some  patents  of  historical  interest  are  noted. 

Where  appropriate,  a brief  description  of  major  claims  or  disclosed  techniques  is  given. 
Inclusion  herein  is  intended  to  provide  reference  information  to  practitioners  on  the  exis- 
tence and  content  of  well-known  patents,  and  to  illustrate  the  nature  of  cryptographic  pat- 
ents in  general.  There  is  no  intention  to  convey  any  judgement  on  the  validity  of  any  claims. 

Because  most  patents  are  eventually  filed  in  the  United  States,  U.S.  patent  numbers  and 
associated  details  are  given.  Additional  information  including  related  filings  in  other  coun- 
tries may  be  found  in  patent  databases.  For  further  technical  details,  the  original  patents 
should  be  consulted  (see  § 15.2.4).  Where  details  of  patented  techniques  and  algorithms  ap- 
pear elsewhere  in  this  book,  cross-references  are  given. 
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Expiry  of  patents 

U.S.  patents  are  valid  for  17  years  from  the  date  of  issue,  or  20  years  from  the  date  a patent 
application  was  filed.  For  applications  filed  before  June  8 1 995  (and  unexpired  at  that  point), 
the  longer  period  applies;  the  20-year  rule  applies  for  applications  filed  after  this  date. 

Priority  data 

Many  countries  require  that  a patent  be  filed  before  any  public  disclosure  of  the  invention; 
in  the  USA,  the  filing  must  be  within  one  year  of  disclosure.  A large  number  of  countries 
are  parties  to  a patent  agreement  which  recognizes  priority  dates.  A patent  filed  in  such  a 
country,  and  filed  in  another  such  country  within  one  year  thereof,  may  claim  the  date  of 
the  first  filing  as  a priority  date  for  the  later  filing. 

Outline  of  patents  section 

The  discussion  of  patents  is  broken  into  three  main  subsections.  §15.2.1  notes  five  fun- 
damental patents,  including  DES  and  basic  patents  on  public-key  cryptography.  §15.2.2 
addresses  ten  prominent  patents  including  those  on  well-known  block  ciphers,  hash  func- 
tions, identification  and  signature  schemes.  § 15.2.3  includes  ten  additional  patents  address- 
ing various  techniques,  of  historical  or  practical  interest.  Finally,  § 15.2.4  provides  informa- 
tion on  ordering  patents. 


15.2.1  Five  fundamental  patents 

Table  15.1  lists  five  basic  cryptographic  patents  which  are  fundamental  to  current  crypto- 
graphic practice,  three  involving  basic  ideas  of  public-key  cryptography.  These  patents  are 
discussed  in  chronological  order. 


Inventors 

Patent  # 

Issue  date 

Ref. 

Major  claim  or  area 

Ehrsam  et  al. 

3,962,539 

Jun.  08  1976 

[363] 

DES 

Hellman-Diffie-Merkle 

4,200,770 

Apr.  29  1980 

[551] 

Diffie-Hellman  agreement 

Hellman-Merkle 

4,218,582 

Aug.  19  1980 

[553] 

public-key  systems 

Merkle 

4,309,569 

Jan.  05  1982 

[848] 

tree  authentication 

Rivest-Shamir-Adleman 

4,405,829 

Sep.  20  1983 

[1059] 

RSA  system 

Table  15.1:  Five  fundamental  U.S.  cryptographic  patents. 


(i)  DES  block  cipher 

The  patent  of  Ehrsam  et  al.  (3,962,539)  covers  the  algorithm  which  later  became  well- 
known  as  DES  (§7.4).  Filed  on  February  24  1975  and  now  expired,  the  patent  was  assigned 
to  the  International  Business  Machines  Corporation  (IBM).  Its  background  section  com- 
ments briefly  on  1974  product  cipher  patents  of  Feistel  (3,798,359)  and  Smith  (3,796,830), 
respectively  filed  June  30  1971  and  November  2 1971 . It  notes  that  while  the  Feistel  patent 
discloses  a product  cipher  which  combines  key-dependent  linear  and  nonlinear  transforma- 
tions, it  fails  to  disclose  specific  details  including  precisely  how  key  bits  are  used,  regard- 
ing the  nonlinear  transformation  within  S-boxes,  and  regarding  a particular  permutation.  In 
addition,  the  effect  of  key  bits  is  limited  by  the  particular  grouping  used.  The  background 
section  comments  further  on  the  cipher  of  Smith's  patent,  noting  its  inherently  serial  nature 
as  a performance  drawback,  and  that  both  it  and  that  of  Feistel  have  only  two  types  of  sub- 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§ 15.2  Patents  on  cryptographic  techniques 


637 


stitution  boxes,  which  are  selected  as  a function  of  a single  key  bit.  Thus,  apparently,  the 
need  for  a new  cipher.  The  patent  contains  ten  ( 10)  claims. 

(ii)  Diffie-Hellman  key  agreement 

The  first  public-key  patent  issued,  on  April  29  1980,  was  the  Hellman-Diffie-Merkle  patent 
(4,200,770).  Filed  on  September  6 1977,  it  was  assigned  to  Stanford  University  (Stan- 
ford, California).  It  is  generally  referred  to  as  the  Diffie-Hellman  patent,  as  it  covers  Diffie- 
Hellman  key  agreement  (§12.6.1).  There  are  two  major  objects  of  the  patent.  The  first  is  a 
method  for  communicating  securely  over  an  insecure  channel  without  a priori  shared  keys; 
this  can  be  done  by  Diffie-Hellman  key  agreement.  The  second  is  a method  allowing  au- 
thentication of  an  identity  over  insecure  channels;  this  can  be  done  using  authentic,  long- 
term Diffie-Hellman  public  keys  secured  in  a public  directory,  with  derivation  and  use  of 
the  resulting  Diffie-Hellman  secret  keys  providing  the  authentication.  The  patent  contains 
eight  (8)  claims  including  the  idea  of  establishing  a session  key  by  public-key  distribution, 
e.g.,  using  message  exchanges  as  in  two-pass  Diffie-Hellman  key  agreement.  Claim  8 is  the 
most  specific,  specifying  Diffie-Hellman  using  a prime  modulus  q and  exponents  ;c,  and  xj 
in  [1,  q — 1], 

(iii)  Merkle-Hellman  knapsacks  and  public-key  systems 

The  Hellman-Merkle  patent  (4,2 1 8,582)  was  filed  October  6 1977  and  assigned  to  the  Board 
of  Trustees  of  the  Leland  Stanford  Junior  University  (Stanford,  California).  It  covers 
public -key  cryptosystems  based  on  the  subset-sum  problem,  i.e.,  Merkle-Hellman  trapdoor 
knapsacks  (now  known  to  be  insecure  - see  §8.6.1),  in  addition  to  various  claims  on  public- 
key  encryption  and  public-key  signatures.  The  objects  of  the  invention  are  to  allow  private 
conversations  over  channels  subject  to  interception  by  eavesdroppers;  to  allow  authentica- 
tion of  a receiver’s  identity  (through  its  ability  to  use  a key  only  it  would  be  able  to  com- 
pute); and  to  allow  data  origin  authentication  without  the  threat  of  dispute  (i.e.,  via  public- 
key  techniques,  rather  than  a shared  secret  key).  There  are  seventeen  (17)  claims,  with 
Claims  1-6  broadly  applying  to  public-key  systems,  and  Claims  7-17  more  narrowly  fo- 
cused on  knapsack  systems.  The  broad  claims  address  aspects  of  general  methods  using 
public -private  key  pairs  for  public -key  encryption,  public-key  signatures,  and  the  use  of 
public -key  encryption  to  provide  authentication  of  a receiver  via  the  receiver  transmitting 
back  to  the  sender  a representation  of  the  enciphered  message. 

(iv)  Tree  authentication  method  of  validating  parameters 

Merkle’s  1982  patent  (4,309,569)  covers  tree  authentication  (§13.4.1).  It  was  filed  Septem- 
ber 5 1979,  and  assigned  to  the  Board  of  Trustees  of  the  Leland  Stanford  Junior  University 
(Stanford,  California).  The  main  motivation  cited  was  to  eliminate  the  large  storage  require- 
ment inherent  in  prior  one-time  signature  schemes,  although  the  idea  has  wider  application. 
The  main  ideas  are  to  use  a binary  tree  and  a one-way  hash  function  to  allow  authentication 
of  leaf  values  lj:  associated  with  each  user  i.  Modifications  cited  include:  use  of  a ternary 
or  k- ary  tree  in  place  of  a binary  tree;  use  of  the  tree  for  not  only  public  values  of  one-time 
signatures,  but  for  authenticating  arbitrary  public  values  for  alternate  purposes;  and  use  of  a 
distinct  authentication  tree  for  each  user  i,  the  root  R,  of  which  replaces  Y,  above,  thereby 
allowing  authentication  of  all  values  in  i’s  tree,  rather  than  just  a single  Y,  . The  epitome  of 
conciseness,  this  patent  contains  a single  figure  and  just  over  two  pages  of  text  including 
four  (4)  claims. 
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(v)  RSA  public-key  encryption  and  signature  system 

The  Rivest-Shamir-Adleman  patent  (4,405,829)  was  filed  December  14  1977,  and  assigned 
to  the  Massachusetts  Institute  of  Technology.  It  covers  the  RSA  public-key  encryption 
(§8.2. 1)  and  digital  signature  method  (§11.3.1).  Also  mentioned  are  generalizations,  includ- 
ing: use  of  a modulus  n which  is  a product  of  three  or  more  primes  (not  necessarily  distinct); 
and  using  an  encryption  public  key  e to  encrypt  a message  M to  a ciphertext  C by  evaluating 
a polynomial  ^*_0  o,Me  mod  n where  e and  a,;,  0 < i < t,  are  integers,  and  recovering 
the  plaintext  M by  “utilizing  conventional  root-finding  techniques,  choosing  which  of  any 
roots  is  the  proper  decoded  version,  for  example,  by  the  internal  redundancy  of  the  mes- 
sage”. Other  variations  mentioned  include  using  RSA  encipherment  in  CFB  mode,  or  as  a 
pseudorandom  number  generator  to  generate  key  pads;  signing  a compressed  version  of  the 
message  rather  than  the  message  itself;  and  using  RSA  encryption  for  key  transfer,  the  key 
thereby  transferred  to  be  used  in  another  encryption  method.  This  patent  has  the  distinction 
of  a claims  section,  with  forty  (40)  claims,  which  is  longer  than  the  remainder  of  the  patent. 


15.2.2  Ten  prominent  patents 

Ten  prominent  patents  are  discussed  in  this  section,  in  order  as  per  Table  15.2. 


Inventors 

Patent  # 

Issue  date 

Ref. 

Major  claim  or  area 

Okamoto  et  al. 

4,625,076 

Nov.  25  1986 

[952] 

ESIGN  signatures 

Shamir-Fiat 

4,748,668 

May  31  1988 

[1118] 

Fiat-Shamir  identification 

Matyas  et  al. 

4,850,017 

Jul.  18  1989 

[806] 

control  vectors 

Shimizu-Miyaguchi 

4,850,019 

Jul.  18  1989 

[1125] 

FEAL  cipher 

Brachtl  et  al. 

4,908,861 

Mar.  13  1990 

[184] 

MDC-2,  MDC-4  hashing 

Schnorr 

4,995,082 

Feb.  19  1991 

[1095] 

Schnorr  signatures 

Guillou-Quisquater 

5,140,634 

Aug.  18  1992 

[523] 

GQ  identification 

Massey-Lai 

5,214,703 

May  25  1993 

[791] 

IDEA  cipher 

Kravitz 

5,231,668 

Jul.  27  1993 

[711] 

DSA  signatures 

Micali 

5,276,737 

Jan.  04  1994 

[861,  862] 

‘fair’  key  escrow 

Table  15.2:  Ten  prominent  U.S.  cryptographic  patents. 


(i)  ESIGN  signatures 

The  Okamoto-Miyaguchi-Shiraishi-Kawaoka  patent  (4,625,076)  covers  the  original  ES- 
IGN signature  scheme  (see  § 1 1 .7.2).  The  patent  was  filed  March  1 1 1985  and  assigned  to  the 
Nippon  Telegraph  and  Telephone  Corporation  (Tokyo),  with  priority  data  listed  as  March 
19  1984  (Japanese  patent  office).  The  objective  is  to  provide  a signature  scheme  faster  than 
RSA.  The  patent  contains  twenty-five  (25)  claims. 

(ii)  Fiat-Shamir  identification  and  signatures 

The  Shamir-Fiat  patent  (4,748,668)  covers  Fiat-Shamir  identification  (§10.4.2)  and  signa- 
tures (§11.4.1).  It  was  filed  July  9 1986,  and  assigned  to  Yeda  Research  and  Development 
Co.  Ftd.  (Israel).  For  identification,  the  inventors  suggest  a typical  number  of  rounds  t as 
1 to  4,  and  parameter  selections  including  k = 5 (secrets),  t = 4 for  a 2 20  probability  of 
forgery,  and  k = 6,  t = 5 for  2 30 . A range  of  parameters  k.  t for  kt  = 72  is  tabulated 
for  the  corresponding  signature  scheme,  showing  tradeoffs  between  key  storage,  signature 
size,  and  real-time  operations  required.  Noted  features  relative  to  prior  art  include  being 
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able  to  pipeline  computations,  and  being  able  to  change  the  security  level  after  the  key  is 
selected  (e.g.,  by  changing  t).  Generalizations  noted  include  replacing  square  roots  by  cu- 
bic or  higher  roots.  There  are  forty-two  (42)  claims. 

(iii)  Control  vectors  for  key  management 

The  Matyas-Meyer-Brachtl  patent  (4,850,017)  is  one  of  several  in  the  area  of  control  vectors 
for  key  management,  in  this  case  allowing  a sending  node  to  constrain  the  use  of  keys  at  a 
receiving  node.  It  was  filed  May  29  1987  and  assigned  to  the  IBM  Corporation.  Control 
vectors  reduce  the  probability  of  key  misuse.  Two  general  methods  are  distinguished.  In  the 
first  method,  the  key  and  a control  value  are  authenticated  before  use  through  verification 
of  a special  authentication  code,  the  key  for  which  is  part  of  the  data  being  authenticated.  In 
the  second  method  (see  §13.5.2),  the  key  and  control  value  are  cryptographically  bound  at 
the  time  of  key  generation,  such  that  recovery  of  the  key  requires  specification  of  the  correct 
control  vector.  In  each  method,  additional  techniques  may  be  employed  to  control  which 
users  may  use  the  key  in  question.  The  patent  contains  twenty-two  (22)  claims. 

(iv)  FEAL  block  cipher 

The  Shimizu-Miyaguchi  patent  (4,850,019)  gives  the  originally  proposed  ideas  of  the  FEAL 
block  cipher  (see  §7.5).  It  was  filed  November  3 1986  and  assigned  to  the  Nippon  Telegraph 
and  Telephone  Corporation  (Tokyo),  with  priority  data  listed  as  November  8 1985  (Japanese 
patent  office).  Embodiments  of  FEAL  with  various  numbers  of  rounds  are  described,  with 
figures  including  four-  and  six-round  FEAL  (now  known  to  be  insecure  - see  Note  7.100), 
and  discussion  of  key  lengths  including  128  bits.  The  patent  makes  twenty-six  (26)  claims. 

(v)  MDC-2/MDC-4  hash  functions 

The  patent  of  Brachtl  et  al.  (4,908,861)  covers  the  MDC-2  and  MDC-4  hash  functions 
(§9.4. 1).  It  was  filed  August  28  1987  and  assigned  to  the  IBM  Corporation.  The  patent  notes 
that  interchanging  internal  key  halves,  as  is  done  at  a particular  stage  in  both  algorithms,  is 
actually  required  for  security  in  MDC-2  but  not  MDC-4;  however,  the  common  design  was 
nonetheless  used,  to  allow  MDC-4  to  be  implemented  using  MDC-2  twice.  A preliminary 
section  of  the  patent  discusses  alternatives  for  providing  message  authentication  ( see  §9.6), 
as  well  as  estimates  of  the  security  of  the  new  hash  functions,  and  justification  for  fixing  cer- 
tain bits  within  the  specification  to  avoid  effects  of  weak  DES  keys.  There  are  twenty-one 
(21)  claims,  mainly  on  building  2iV-bit  hash  functions  from  iV-bit  block  ciphers. 

(vi)  Schnorr  identification  and  signatures 

The  Schnorr  patent  (4,995,082)  covers  Schnorr’s  identification  (§10.4.4)  and  signature 
(§11.5.3)  schemes,  and  optimizations  thereof  involving  specific  pre-processing.  It  was  filed 
February  23  1990,  with  no  assignee  listed,  and  priority  data  given  as  February  24  1989  (Eu- 
ropean patent  office).  There  are  eleven  (11)  claims.  Part  of  Claim  6 covers  a specific  vari- 
ation of  the  Fiat-Shamir  identification  method  using  a prime  modulus  p,  such  that  p 1 is 
divisible  by  a prime  q , and  using  a base  ft  of  order  q. 

(vii)  GQ  identification  and  signatures 

The  Guillou-Quisquater  patent  (5,140,634)  addresses  GQ  identification  (Protocol  10.31) 
and  signatures  (Algorithm  11.48).  It  was  filed  October  9 1991,  as  a continuation-in-part 
of  two  abandoned  applications,  the  first  filed  September  7 1988.  The  original  assignee  was 
the  U.S.  Philips  Corporation  (New  York).  The  disclosed  techniques  allow  for  authentica- 
tion of  so-called  accreditation  information,  authentication  of  messages,  and  the  signing  of 
messages.  The  central  authentication  protocol  involves  a commitment-challenge-response 


Handbook  of  Applied  Cryptography  by  A.  Menezes,  P.  van  Oorschot  and  S.  Vanstone. 


640 


Ch.  15  Patents  and  Standards 


method  and  is  closely  related  to  the  zero-knowledge-based  identification  technique  of  Fiat 
and  Shamir  (Protocol  10.24).  However,  it  requires  only  a single  protocol  execution  and  sin- 
gle accreditation  value,  rather  than  a repetition  of  executions  and  a plurality  of  accreditation 
values.  The  cited  advantages  over  previous  methods  include  smaller  memory  requirements, 
and  shorter  overall  duration  due  to  fewer  total  message  exchanges.  The  main  applications 
cited  are  those  involving  chipcards  in  banking  applications.  There  are  twenty-three  (23) 
claims,  including  specific  claims  involving  the  use  of  chipcards. 

(viii)  IDEA  block  cipher 

The  Massey-Lai  patent  (5,2 14,703)  covers  the  IDEA  block  cipher  (§7.6),  proposed  as  a Eu- 
ropean or  international  alternative  to  DES  offering  greater  key  bitlength  (and  thereby,  hope- 
fully greater  security).  It  was  filed  May  16  1991,  and  assigned  to  Ascom  Tech  AG  (Bern), 
with  priority  data  given  as  May  18  1990  from  the  original  Swiss  patent.  A key  concept  in 
the  cipher  is  the  use  of  at  least  two  different  types  of  arithmetic  and  logical  operations,  with 
emphasis  on  different  operations  in  successive  stages.  Three  such  types  of  operation  are 
proposed:  addition  mod  2m,  multiplication  mod  2m  + 1,  and  bitwise  exclusive-or  (XOR). 
Symbols  denoting  these  operations,  hand-annotated  in  the  European  version  of  the  patent 
(WO  91/18459,  dated  28  November  1991,  in  German),  appear  absent  in  the  text  of  the  U.S. 
patent,  making  the  latter  difficult  to  read.  There  are  fourteen  (14)  figures  and  ten  (10)  multi- 
part claims. 

(ix)  DSA  signature  scheme 

The  patent  of  Kravitz  (5,231,668),  titled  “Digital  Signature  Algorithm”,  has  become  widely 
known  and  adopted  as  the  DSA  (§11.5.1).  It  was  filed  July  26  1991,  and  assigned  to  “The 
United  States  of  America  as  represented  by  the  Secretary  of  Commerce,  Washington,  D.C.” 
The  background  section  includes  a detailed  discussion  of  ElGamal  signatures  and  Schnorr 
signatures,  including  their  advantage  relative  to  RS  A - allowing  more  efficient  on-line  sig- 
natures by  using  off-line  precomputation.  Schnorr  signatures  are  noted  as  more  efficient 
than  ElGamal  for  communication  and  signature  verification,  although  missing  some  “de- 
sirable features  of  ElGamal”  and  having  the  drawback  that  cryptanalytic  experience  and 
confidence  associated  with  the  ElGamal  system  do  not  carry  over.  DSA  is  positioned  as 
having  all  the  efficiencies  of  the  Schnorr  model,  while  remaining  compatible  with  the  El- 
Gamal model  from  an  analysis  perspective.  In  the  exemplary  specification  of  DSA,  the  hash 
function  used  was  MD4.  The  patent  makes  forty-four  (44)  claims. 

(x)  Fair  cryptosystems  and  key  escrow 

Micali’s  patent  (5,276,737)  and  its  continuation-in-part  (5,315,658),  respectively  filed  April 
20  1992  and  April  19  1993  (with  no  assignees  listed),  cover  key  escrow  systems  called  “fair 
cryptosystems”  (cf.  §13.8.3).  The  subject  of  the  first  is  a method  involving  a public-key 
cryptosystem,  for  allowing  third-party  monitoring  of  communications  (e.g.,  government 
wiretapping).  A number  of  shares  (see  secret-sharing  - § 12.7)  created  from  a user-selected 
private  key  are  given  to  a set  of  trustees.  By  some  method  of  verifiable  secret  sharing,  the 
trustees  independently  verify  the  authenticity  of  the  shares  and  communicate  this  to  an  au- 
thority, which  approves  a user’s  public  key  upon  receiving  all  such  trustee  approvals.  Upon 
proper  authorization  (e.g.,  a court  order),  the  trustees  may  then  subsequently  provide  their 
shares  to  the  authority  to  allow  reconstruction  of  a user  private  key.  Exemplary  systems 
include  transforming  Diffie-Hellman  (see  paragraph  below)  and  RSA  public-key  systems 
into  fair  cryptosystems.  Modifications  require  only  k out  of  n trustees  to  contribute  shares 
to  recover  a user  secret  and  prevent  trustees  from  learning  the  identity  of  a user  whose  share 
is  requested.  The  patent  contains  eighteen  ( 1 8)  claims,  the  first  14  being  restricted  to  public- 
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key  systems. 

A fair  cryptosystem  for  Diffie-Hellman  key  agreement  modulo  p,  with  a generator  g 
and  n trustees,  may  be  constructed  as  follows.  Each  user  A selects  n integers  s i, . . . ,sn  in 
the  interval  [1  ,p  — 1],  and  computes  s = Y^i=i  s'>  m°d  p,  public  shares  y,  = gSi  mod  p, 
and  a public  key  y = gs  modp.  Trustee  T),  1 < i < n,  is  given  y,  public  shares  yi , . . . ,yn, 
and  the  secret  shares*  to  be  associated  with  A.  Upon  verifying  yi  = gSi,Ti  stores  (. A,y,Si ), 
and  sends  the  authority  a signature  on  (i,  y,  y-y, . . . , yn).  Upon  receiving  such  valid  sig- 
natures from  all  n trustees,  verifying  the  y,  in  the  signed  messages  are  identical,  and  that 
y — n !Jt  mod  p.  the  authority  authorizes  y as  A’s  Diffie-Hellman  public  key. 

The  continuation-in-part  pursues  time-bounded  monitoring  in  greater  detail,  includ- 
ing use  of  tamper-proof  chips  with  internal  clocks.  Methods  are  also  specified  allowing 
an  authority  (hereafter,  the  government)  access  to  session  keys,  including  users  employing 
a master  key  to  allow  such  access.  A further  method  allows  verification,  without  monitor- 
ing content,  that  transmitted  messages  originated  from  government-approved  devices.  This 
may  involve  tamper-proof  chips  in  each  communicating  device,  containing  and  employing 
a government  master  key  Km-  Such  devices  allow  verification  by  transmitting  a redundant 
data  string  dependent  on  this  key.  The  continuation-in-part  has  thirteen  (13)  claims,  with 
the  first  two  (2)  restricted  to  public-key  systems.  Claims  1 1 and  12  pursue  methods  for  ver- 
ifying that  messages  originate  from  a tamper-proof  device  using  an  authorized  encryption 
algorithm. 


15.2.3  Ten  selected  patents 

Ten  additional  patents  are  discussed  in  this  section,  as  listed  in  Table  15.3.  These  provide 
a selective  sample  of  the  wide  array  of  existing  cryptographic  patents. 


Inventors 

Patent  # 

Issue  date 

Ref. 

Major  claim  or  area 

Feistel 

3,798,359 

Mar.  19  1974 

[385] 

Lucifer  cipher 

Smid-Branstad 

4,386,233 

May  31  1983 

[1154] 

key  notarization 

Hellman-Pohlig 

4,424,414 

Jan.  03  1984 

[554] 

Pohlig-Hellman  cipher 

Massey,  Omura 

4,567,600 

Jan.  28  1986 

[792,  956] 

normal  basis  arithmetic 

Hellman-Bach 

4,633,036 

Dec.  30  1986 

[550] 

generating  strong  primes 

Merkle 

4,881,264 

Nov.  14  1989 

[846] 

one-time  signatures 

Goss 

4,956,863 

Sep.  11  1990 

[519] 

Diffie-Hellman  variation 

Merkle 

5,003,597 

Mar.  26  1991 

[847] 

Khufu,  Khafre  ciphers 

Micali  et  al. 

5,016,274 

May  14  1991 

[864] 

on-line/off-line  signing 

Brickell  et  al. 

5,299,262 

Mar.  29  1994 

[203] 

exponentiation  method 

Table  15.3:  Ten  selected  U.S.  cryptographic  patents. 


(i)  Lucifer  cipher 

Feistel's  patent  (3,798,359)  is  of  historical  interest.  Filed  June  30  1971  and  assigned  to  the 
IBM  Corporation,  it  has  now  expired.  The  background  section  cites  a number  of  earlier 
cipher  patents  including  ciphering  wheel  devices  and  key  stream  generators.  The  patent 
discloses  a block  cipher,  more  specifically  a product  cipher  noted  as  being  under  the  control 
of  subscriber  keys,  and  designed  to  resist  cryptanalysis  “not  withstanding  ...  knowledge 
of  the  structure  of  the  system”  (see  Chapter  7 notes  on  §7.4).  It  is  positioned  as  distinct 
from  prior  art  systems,  none  of  which  “utilized  the  advantages  of  a digital  processor  and  its 
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inherent  speed.”  The  patent  has  3 1 figures  supporting  ( only)  six  pages  of  text  plus  one  page 
of  thirteen  (13)  claims. 

(ii)  Key  notarization 

The  Smid-Branstad  patent  (4,386,233)  addresses  key  notarization  (§13.5.2).  It  was  filed 
September  29  1980,  with  no  assignee  listed.  A primary  objective  of  key  notarization  is  to 
prevent  key  substitution  attacks.  The  patent  contains  twenty-one  (21)  claims. 

(iii)  Pohlig-Hellman  exponentiation  cipher 

The  Hellman-Pohlig  patent  (4,424,414)  was  filed  May  1 1978  (four  and  one-half  months 
after  the  RS  A patent),  and  assigned  to  the  Board  of  Trustees  of  the  Leland  Stanford  Junior 
University  (Stanford,  California).  It  covers  the  Pohlig-Hellman  symmetric-key  exponenti- 
ation cipher,  wherein  a prime  q is  chosen,  along  with  a secret  key  K,  1 < K < q — 2,  from 
which  a second  key  D,  1 < D < q — 2,  is  computed  such  that  KD  = 1 mod  (q  — 1). 
A message  M is  enciphered  as  C = MK  mod  q,  and  the  plaintext  is  recovered  by  com- 
puting CD  mod  q = M.  Two  parties  make  use  of  this  by  arranging,  a priori,  to  share  the 
symmetric-keys  K and  D.  The  patent  contains  two  (2)  claims,  specifying  a method  and  an 
apparatus  for  implementing  this  block  cipher.  Although  of  limited  practical  significance, 
this  patent  is  often  confused  with  the  three  well-known  public-key  patents  of  Table  15.1. 

(iv)  Arithmetic  in  F2™  using  normal  bases 

Two  patents  of  Massey  and  Omura  are  discussed  here.  The  Omura-Massey  patent 
(4,587,627)  teaches  a method  for  efficient  multiplication  of  elements  of  a finite  field  F2m 
by  exploiting  normal  bases  representations.  It  was  filed  September  14  1982,  with  prior- 
ity data  November  30  1981  (European  patent  office),  and  was  issued  May  6 1986  with  the 
assignee  being  OMNET  Associates  (Sunnyvale,  California).  The  customary  method  for 
representing  a field  element  (3  € F2m  involves  a polynomial  basis  1,  x,  x2,  x3, . . . , x m_1, 
with  (3  = Jjj"()1  (ijX1,  Oj  € {0,1}  (see  §2.6.3).  Alternatively,  using  a normal  ba- 
sis x,  x2,  x4, . . . , x2™  (with  x selected  such  that  these  are  linearly  independent)  allows 
one  to  represent  (3  as  (3  = o hx2\  bi  E {0,1}.  The  inventors  note  that  this  rep- 
resentation “is  unconventional,  but  results  in  much  simpler  logic  circuitry”.  For  exam- 
ple, squaring  in  this  representation  is  particularly  efficient  (noted  already  by  Magleby  in 
1963)  - it  requires  simply  a rotation  of  the  coordinate  representation  from  [brn  i . . . bibo 
to  [bm-2  ■ ■ ■ bibobm-i].  This  follows  since  x 2 =1  and  squaring  in  F2m  is  a linear  opera- 

tion in  the  sense  that  (B+C)2  = B2+C'2;  furthermore,  D = B x C implies  D2  = B2xC2. 
From  this,  the  main  object  of  the  patent  follows  directly:  to  multiply  two  elements  B and 
C to  yield  D = B x C = [d,rn  i . . . didg],  the  same  method  used  for  computing  dm_i  can 
be  used  to  sequentially  produce  d,,  rn  2 < i < 0,  by  applying  it  to  one -bit  rotations  of 
the  representations  of  B and  C . Alternatively,  m such  identical  processes  can  be  used  to 
compute  the  m components  d,  in  parallel.  The  patent  makes  twenty-four  (24)  claims. 

The  closely  related  Massey-Omura  patent  (4,567,600)  includes  claims  on  exponentia- 
tion in  F2m  using  normal  bases.  It  was  likewise  filed  September  14  1982  and  assigned  to 
OMNET  Associates  (Sunnyvale,  California),  with  priority  date  February  2 1982  (European 
patent  office).  Its  foundation  is  the  observation  that  using  a normal  basis  representation  al- 
lows efficient  exponentiation  in  F2m  (Claim  16),  since  the  cost  of  squaring  (see  above)  in  the 
customary  square-and-multiply  exponentiation  technique  is  eliminated.  A second  subject 
is  the  implementation  of  Shamir’s  three -pass  protocol  (Protocol  12.22)  using  modular  ex- 
ponentiation in  F2™  as  the  ciphering  operation  along  with  a normal  basis  representation  for 
elements;  and  subsequently  employing  a shared  key,  established  by  this  method,  as  the  key 
in  an  F2m  exponentiation  cipher  (cf.  Hellman-Pohlig  patent)  again  using  normal  bases.  A 
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further  object  is  a method  for  computing  pairs  of  integers  e,  d such  that  ed  = 1 mod  2m  — 1. 
Whereas  customarily  e is  selected  and,  from  it,  d is  computed  via  the  extended  Euclidean 
algorithm  (which  involves  division),  the  new  technique  selects  a group  element  H of  high 
order,  then  chooses  a random  integer  R in  [1,  2m  — 2],  and  computes  e = HR,  d = H R. 
The  patent  includes  twenty-six  (26)  claims  in  total. 

(v)  Generation  of  strong  primes 

The  Hellman-Bach  patent  (4,633,036)  covers  a method  for  generating  RSA  primes  p and  q 
and  an  RSA  modulus  n = pq  satisfying  certain  conditions  such  that  factoring  n is  believed 
to  be  computationally  infeasible.  The  patent  was  filed  May  3 1 1984  and  assigned  to  Martin 
E.  Heilman.  The  standard  strong  prime  conditions  (Definition  4.52)  are  embedded:  p — 1 
requiring  a large  prime  factor  r;  p + 1 requiring  a large  prime  factor  s;  and  r — 1 requiring 
a large  prime  factor  r' . A new  requirement  according  to  the  invention  was  that  .s  1 have 
a large  prime  factor  s',  with  cited  justification  that  the  (then)  best  known  factoring  meth- 
ods exploiting  small  s'  required  s'  operations.  The  patent  includes  twenty-four  (24)  claims, 
but  is  now  apparently  of  historical  interest  only,  as  the  best-known  factoring  techniques  no 
longer  depend  on  the  cited  properties  (cf.  §4.4.2). 

(vi)  Efficient  one-time  signatures  using  expanding  trees 

Merkle’s  1989  patent  (4,881,264),  filed  July  30  1987  with  no  assignee  listed  on  the  issued 
patent,  teaches  how  to  construct  authentication  trees  which  may  be  expanded  arbitrarily, 
without  requiring  a large  computation  when  a new  tree  is  constructed  (or  expanded).  The 
primary  cited  use  of  such  a tree  is  for  making  available  public  values  y (corresponding  to 
secret  values  x)  of  a user  A in  a one-time  signature  scheme  (several  of  which  are  summa- 
rized). In  such  schemes,  additional  public  values  are  continually  needed  over  time.  The 
key  idea  is  to  associate  with  each  node  in  the  tree  three  vectors  of  public  information,  each 
of  which  contains  sufficient  public  values  to  allow  one  one-time  signature;  call  these  the 
LEFT,  RIGHT,  and  MESSAGE  vectors.  The  combined  hash  value  Hi  of  all  three  of  these 
vectors  serves  as  the  hash  value  of  the  node  i.  The  root  hash  value  Hi  is  made  widely  avail- 
able, as  per  the  root  value  of  ordinary  authentication  trees  (§13.4.1).  Anewmessage  M may 
be  signed  by  selecting  a previously  unused  node  of  the  tree  (e.g.,  Hi),  using  the  associated 
MESSAGE  vector  for  a one-time  signature  thereon.  The  tree  may  be  expanded  downward 
from  node  i (e.g.,  i = 1),  to  provide  additional  (verifiably  authentic)  public  values  in  a new 
left  sub-node  2 i or  a right  sub-node  2 i + 1,  by  respectively  using  the  LEFT  and  RIGHT 
vectors  at  node  i to  (one-time)  sign  the  hashes  H >t  and  of  the  newly  created  public 

values  in  the  respective  new  nodes.  Full  details  are  given  in  the  patent;  there  are  nine  (9) 
claims. 

The  one-time  signatures  themselves  are  based  on  a symmetric  cipher  such  as  DES; 
the  associated  one-way  function  F of  a private  value  x may  be  created  by  computing  y = 
F(x ) = DESx(0),  i.e.,  encrypting  a constant  value  using  x as  key;  and  a hash  function  for 
the  authentication  tree  may  also  be  constructed  using  DES.  Storage  requirements  on  user 
A for  its  own  tree  are  further  reduced  by  noting  that  only  x values  need  be  stored;  and  that 
these  may  be  pseudorandomly  generated,  for  example,  letting  J = 0,  1,  2 denote  the  LEFT, 
RIGHT,  and  MESSAGE  vectors,  and  assuming  that  K public  values  are  needed  per  one- 
time signature,  the  Kth  value  x in  a vector  of  public  values  at  node  I may  be  defined  as 
x[I,  J,  K\  = DESka{I\\J\\K),  where  Ka  is  A’s  secret  key  and  “|j”  denotes  concatena- 
tion. 
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(vii)  Goss  variation  of  Diffie-Hellman 

The  patent  of  Goss  (4,956,863)  covers  a variation  of  Diffie-Hellman  key  agreement  essen- 
tially the  same  as  Protocol  12.53.  It  was  filed  April  17  1989  and  assigned  to  TRW  Inc. 
(Redondo  Beach,  California).  The  primary  application  cited  is  an  authenticated  key  estab- 
lishment technique,  completely  transparent  to  end-users,  for  facsimile  (FAX)  machines  on 
existing  telephone  networks.  At  the  time  of  manufacture,  a unique  device  identifier  and  a 
signed  certificate  binding  this  to  a long-term  Diffie-Hellman  public  key  (public  exponen- 
tial) is  embedded  in  each  device.  The  identity  in  the  certificate,  upon  verification,  may  be 
used  as  the  basis  on  which  to  accept  or  terminate  communications  channels.  Such  a proto- 
col allows  new  session  keys  for  each  FAX  call,  while  basing  authentication  on  long-term 
certified  keys  (cf.  Remark  12.48;  but  regarding  security,  see  also  Note  12.54).  The  patent 
makes  sixteen  (16)  claims. 

(viii)  Khufu  and  Khafre  block  ciphers 

Merkle’s  1991  patent  (5,003,597)  covers  two  symmetric-key  block  ciphers  named  Khufu 
and  Khafre  (see  §7.7.3).  These  were  designed  specifically  as  fast  software-oriented  alter- 
natives to  DES,  which  itself  was  designed  with  hardware  performance  in  mind.  The  patent 
was  filed  December  21  1989  and  assigned  to  the  Xerox  Corporation.  Khufu  and  Khafre 
have  block  size  64  bits  and  a user-selectable  number  of  rounds.  Khufu  has  key  bitlength 
up  to  512  bits,  and  S -boxes  derived  from  the  input  key;  it  encrypts  64-bit  blocks  faster 
than  Khafre.  Khafre  has  fixed  S -boxes,  and  a key  of  selectable  size  (with  no  upper  bound), 
though  larger  keys  impact  throughput.  The  majority  of  the  patent  consists  of  C-code  listings 
specifying  the  ciphers.  The  patent  contains  twenty-seven  (27)  claims. 

(ix)  On-line/off-line  digital  signatures 

The  Micali-Goldreich-Even  patent  (5,016,274)  teaches  on-line/off-line  digital  signature 
schemes.  The  patent  was  filed  November  8 1988,  with  no  assignee  listed.  The  basic  idea  is 
to  carry  out  a precomputation  to  reduce  real-time  requirements  for  signing  a particular  mes- 
sage m.  The  pre-computation,  executed  during  idle  time  and  independent  of  m,  involves 
generation  of  matching  one-time  public  and  private  keying  material  for  a fast  (one-time) 
first  signature  scheme,  and  using  a second  underlying  signature  scheme  to  create  a signa- 
ture S2  over  the  one-time  public  key.  This  key  from  the  first  scheme  is  then  used  to  create 
a signature  si  on  m.  The  overall  signature  on  m is  (si,  s-> ) . Appropriate  hash  functions 
can  be  used  as  usual  to  allow  signing  of  a hash  value  h(m)  rather  than  in.  In  the  exemplary 
method,  Rabin’s  scheme  is  the  underlying  signature  scheme,  and  DES  is  used  both  to  build 
a one-time  signature  scheme  and  for  hashing.  Regarding  security  of  the  overall  scheme,  a 
one-time  scheme,  if  secure,  is  presumed  secure  against  chosen-text  attack  (since  it  is  used 
only  once);  the  underlying  scheme  is  secure  against  chosen-text  attack  because  it  signs  only 
strings  independent  of  a message  m.  The  method  thus  may  convert  any  signature  scheme 
into  one  secure  against  chosen-text  attacks  ( should  this  be  a concern),  or  convert  any  un- 
derlying signature  scheme  to  one  with  smaller  real-time  requirements.  The  patent  contains 
thirty-three  (33)  claims. 

(x)  Efficient  exponentiation  for  fixed  base 

The  Brickell-Gordon-McCurley  patent  (5,299,262)  teaches  a method  for  fast  exponentia- 
tion for  the  case  where  a fixed  base  is  re-used;  see  also  page  633.  This  has  application  in 
systems  such  as  the  ElGamal,  Schnorr,  and  DSA  signature  schemes.  The  patent  was  filed 
August  13  1992,  issued  March  29  1994,  and  assigned  to  “The  United  States  of  America  as 
represented  by  the  United  States  Department  of  Energy,  Washington,  D.C.”  The  method  is 
presented  in  Algorithm  14.109.  The  patent  contains  nine  (9)  claims. 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


§ 15.3  Cryptographic  standards 


645 


15.2.4  Ordering  and  acquiring  patents 

Any  American  patent  may  be  ordered  by  patent  number  from  the  U.S.  Patent  and  Trade- 
mark Office  (PTO).  Written  requests  should  be  posted  to:  PTO,  Washington,  D.C.,  20231, 
USA.  Telephone  requests  may  also  be  made  at  +703-305-4350,  with  payment  by  credit 
card.  A nominal  fee  applies  (e.g.,  US$3  for  patents  returned  by  postal  mail;  or  US$6  for  re- 
turns by  fax,  usually  the  same  day).  For  on-line  information  on  recent  patents,  consult  URL 
http  : / / www . micropatent . com  (e.g.,  specifying  patent  class  code  380  for  cryptog- 
raphy). 


15.3  Cryptographic  standards 

This  section  summarizes  cryptographic  and  security  standards  of  practical  interest.  These 
facilitate  widespread  use  of  cryptographically  sound  techniques,  and  interoperability  of  sys- 
tems and  system  components.  Tables  15.4—15.11  present  an  overview  allowing  relevant 
standards  to  be  located  and  identified,  and  access  to  formal  title  information  allowing  acqui- 
sition of  particular  standards.  These  tables  may  also  be  used  to  locate  standards  addressing 
particular  areas  (e.g.,  key  management).  For  specific  details  of  techniques  and  algorithms, 
the  original  standards  should  be  consulted.  Where  relevant  technical  details  appear  else- 
where in  the  book,  cross-references  are  given. 

Outline  of  standards  section 

§15.3.1  presents  international  (ISO  and  ISO/IEC)  application-independent  standards  on 
cryptographic  techniques.  § 15.3.2  summarizes  banking  security  standards,  subdivided  into 
ANSI  and  ISO  standards.  §15.3.3  considers  international  security  architectures  and  frame- 
works (ISO  and  X.509).  §15.3.4  summarizes  security-related  standards  for  use  by  U.S. 
federal  government  departments.  §15.3.5  addresses  selected  Internet  specifications,  while 
§15.3.6  notes  selected  de  facto  industry  standards.  §15.3.7  provides  information  allowing 
acquisition  of  standards. 


15.3.1  International  standards  - cryptographic  techniques 

The  International  Organization  for  Standardization  (ISO)  and  the  International  Electrotech- 
nical Commission  (IEC)  develop  standards  individually  and  jointly.  Joint  standards  are 
developed  under  the  joint  technical  committee  ISO/IEC  JTC  1.  ISO  and  ISO/IEC  stan- 
dards progress  through  the  following  draft  stages  before  maturing  to  the  International  Stan- 
dard status:  Working  Draft  (WD);  Committee  Draft  (CD);  and  Draft  International  Standard 
(DIS).  Each  ISO  and  ISO/IEC  standard  is  reviewed  every  five  years,  at  which  time  it  is  ei- 
ther reaffirmed,  revised,  or  retracted.  The  ISO/IEC  subcommittee  responsible  for  standard- 
izing generic  cryptographic  techniques  is  SC  27  (ISO/IEC  JTC  1 SC  27).  Table  15.4  lists 
selected  ISO  and  ISO/IEC  standards  on  cryptographic  techniques. 

ISO  8372:  This  standard  specifies  the  four  well-known  modes  of  operation  of  a block 
cipher  - electronic  codebook  (ECB),  cipher  block  chaining  (CBC),  cipher  feedback  (CFB), 
and  output  feedback  (OFB).  These  modes  were  originally  standardized  for  DES  in  FIPS  81 
(1980)  and  ANSI  X3.106  (1983).  ISO  8372  (first  published  in  1987)  specifies  these  modes 
for  general  64-bit  block  ciphers  (cf.  ISO/IEC  10116). 
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ISO# 

Subject 

Ref. 

8372 

modes  of  operation  for  a 64-bit  cipher 

[574] 

9796 

signatures  with  message  recovery  (e.g.,  RSA) 

[596] 

9797 

data  integrity  mechanism  (MAC) 

[597] 

9798-1 

entity  authentication  - introduction 

[598] 

9798-2 

— using  symmetric  encipherment 

[599] 

9798-3 

— using  public-key  techniques 

[600] 

9798-4 

— using  keyed  one-way  functions 

[601] 

9798-5 

— using  zero-knowledge  techniques 

[602] 

9979 

register  of  cryptographic  algorithms 

[603] 

10116 

modes  of  operation  for  an  ?r-bit  cipher 

[604] 

10118-1 

hash  functions  - introduction 

[605] 

10118-2 

— using  block  ciphers 

[606] 

10118-3 

— customized  algorithms 

[607] 

10118-4 

— using  modular  arithmetic 

[608] 

11770-1 

key  management  - introduction 

[616] 

11770-2 

— symmetric  techniques 

[617] 

11770-3 

— asymmetric  techniques 

[618] 

13888-1 

non-repudiation  - introduction 

[619] 

13888-2 

— symmetric  techniques 

[620] 

13888-3 

— asymmetric  techniques 

[621] 

14888-1 

signatures  with  appendix  - introduction 

[622] 

14888-2 

— identity-based  mechanisms 

[623] 

14888-3 

— certificate-based  mechanisms 

[624] 

Table  15.4:  ISO  and  ISO/IEC  standards  for  generic  cryptographic  techniques. 


ISO/IEC  9796:  This  standard  specifies  a generic  mechanism  for  digital  signature  sch- 
emes giving  message  recovery  (see  §11.3.5  and  ANSI  X9.31-1;  cf.  ISO/IEC  14888).  Ex- 
amples are  given  in  its  Annex  B corresponding  to  RSA  and  Rabin’s  variant  thereof  (with 
encryption  exponent  2).  The  main  part  of  the  standard  is  a redundancy  scheme,  intended 
to  be  generically  applicable  to  a large  class  of  signature  schemes,  although  specifically  de- 
signed to  preclude  attacks  on  schemes  such  as  RSA  and  Rabin  which  have  a multiplicative 
property. 

ISO/IEC  9797:  This  standard  defines  a message  authentication  code  (MAC)  based  on 
the  CBC  mode  of  operation  of  a block  cipher,  similar  to  the  MAC  algorithms  of  ISO  8731— 
1,  ISO  9807,  ANSI  X9.9,  and  ANSI  X9.19  (see  Algorithm  9.58).1  Relative  to  these,  in 
9797  the  m-bit  MAC  result  is  constrained  only  by  m < n (the  leftmost  or  most  significant 
bits  are  retained),  the  block  cipher  is  unspecified  but  has  ?r-bit  blocks,  and  a second  padding 
method  is  specified.  These  other  MAC  algorithms  may  be  viewed  as  special  cases  of  9797; 
for  example,  the  specific  values  n = 64  and  m = 32  along  with  use  of  the  first  padding 
method  (see  below)  and  DES  as  the  block  cipher  yields  the  MAC  of  X9.9. 

In  9797,  one  of  two  specified  padding  methods  must  be  selected  (Algorithms  9.29, 
9.30).  The  first  pads  the  data  input  by  appending  zero  or  more  0-bits,  as  few  as  necessary, 
to  obtain  a string  whose  bitlength  is  a multiple  of  n.  The  second  method  always  appends 
to  the  data  input  a single  1-bit,  and  then  zero  or  more  0-bits,  as  few  as  necessary,  to  obtain 

1 Specific  technical  details  are  provided  for  MAC  standards  in  this  chapter  moreso  than  for  other  standards,  in 
an  attempt  to  clarify  the  differences  between  the  large  number  of  CBC-MAC  standards  which  differ  only  in  fine 
details. 
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a string  whose  bitlength  is  a multiple  of  n.  Annex  A specifies  two  optional  processes;  An- 
nex B provides  examples.  The  first  optional  process  is  the  optional  process  as  described 
under  ANSI  X9.19  in  §15.3.2;  this  reduces  the  threat  of  exhaustive  key  search  and  chosen- 
plaintext  attacks,  and  is  recommended  when  m = n (see  Remark  9.59).  The  alternative 
second  optional  process,  providing  protection  against  chosen-plaintext  attacks,  employs  a 
second  key  K'  (possibly  derived  from  K)  to  encrypt  the  (previously  final)  output  block, 
before  extracting  the  m-bit  MAC  result. 

ISO/IEC  9798:  Parts  subsequent  to  the  introduction  (9798-1)  of  this  standard  spec- 
ify entity  authentication  mechanisms  based  on:  symmetric  encryption  algorithms  (9798-2); 
public-key  signature  algorithms  (9798-3);  a cryptographic  check  function  or  MAC  (9798- 
4);  and  other  customized  techniques  (9798-5),  historically  referred  to  by  academics  as  zero- 
knowledge  techniques.  The  mechanisms  use  timestamps,  sequence  numbers,  and  random 
numbers  as  time-variant  parameters  (§10.3.1).  The  9798-3  mechanisms  are  functionally 
analogous  to  those  of  X.509,  and  the  9798-3  two-pass  and  three -pass  techniques  based  on 
random  number  challenge-response  are  the  source  for  those  in  FIPS  196. 

9798-2  specifies  four  entity  authentication  mechanisms  (as  given  in  §10.3.2)  involv- 
ing two  parties  A and  B and  requiring  that  they  share  a symmetric  key  a priori , for  use  in 
a symmetric  encryption  algorithm.  When  timestamps  or  sequence  numbers  are  used,  these 
mechanisms  require  one  and  two  messages,  respectively,  for  unilateral  and  mutual  entity  au- 
thentication; using  challenge-response  based  on  random  numbers,  one  additional  message 
is  required  in  each  case.  9798-3  includes  four  analogous  mechanisms  (see  §10.3.3)  wherein 
the  role  of  the  symmetric  encryption  algorithm  is  replaced  by  a digital  signature  algorithm, 
and  the  requirement  of  shared  symmetric  keys  is  replaced  by  that  of  possession  of  authen- 
tic (or  the  capability  to  authenticate)  public  keys.  9798-4  specifies  four  analogous  mecha- 
nisms (again  see  §10.3.2)  where  symmetric  encryption  as  used  in  9798-2  is  replaced  by  a 
cryptographic  check  function  or  MAC.  9798-2  specifies  two  additional  mutual  authentica- 
tion mechanisms  for  the  case  that  A and  B do  not  share  a key  a priori,  but  each  does  share 
a key  with  a trusted  third  party  T ; these  require  two  further  messages  (for  communication 
with  T)  beyond  those  for  the  respective  mutual  entity  authentication  mechanisms  above. 
9798-5  (draft)  includes  an  identity-based  identification  protocol  of  which  Fiat-Shamir  (cf. 
Protocol  10.24)  and  GQ  identification  (Protocol  10.31)  are  special  cases,  and  a protocol 
based  on  public-key  decryption  with  witness  (see  §10.3.3). 

ISO/IEC  9979:  This  standard  specifies  procedures  allowing  certain  entities  (e.g.,  ISO 
member  bodies  and  liaison  organizations)  to  register  encryption  algorithms  in  an  official 
ISO  register  of  such  algorithms.  Registration  involves  no  security  evaluation  or  assessment 
(the  policy  of  ISO/IEC  is  to  not  standardize  encryption  algorithms  themselves).  The  stan- 
dard specifies  the  formats  required  for  such  register  entries,  and  registration  results  in  the 
assignment  of  a unique  identifier  to  each  algorithm,  e.g.,  to  allow  interoperability.  For  fur- 
ther information,  see  page  660. 

ISO/IEC  10116:  This  standard  specifies  the  same  four  modes  of  block-cipher  oper- 
ation as  ISO  8372,  but  subsumes  that  standard  by  allowing  general  n-bit  block  ciphers. 
ISO/IEC  10116  also  provides  greater  detail  regarding  various  properties  of  the  modes,  and 
sample  calculations  based  on  DES. 

ISO/IEC  10118:  This  is  a multi-part  standard  on  cryptographic  hashing  algorithms. 
10118-1  specifies  common  definitions  and  general  requirements.  10118-2  specifies  two 
generic  constructions  based  on  ?r-bit  block  ciphers:  the  Matyas-Meyer-Oseas  hash  function 
(Algorithm  9.41)  and  a block-cipher  independent  MDC-2  (cf.  Algorithm  9.46).  The  draft 
standard  10118-3  includes  SHA-1  (Algorithm  9.53),  RIPEMD-128  and  RIPEMD- 160  (Al- 
gorithm 9.55).  The  draft  10118^1  includes  MASH-1  and  MASH-2  (see  Algorithm  9.56). 

ISO/IEC  11770:  This  multi-part  standard  addresses  generic  key  management  and  spe- 
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rifles  key  establishment  mechanisms.  11770-1  is  a key  management  framework  and  over- 
view including  discussion  of  the  key  life  cycle,  protection  requirements  for  keying  mate- 
rial, and  roles  of  third  parties  in  key  establishment.  11770-2  specifies  key  establishment 
mechanisms  based  on  symmetric  techniques,  including  those  wherein  two  parties  commu- 
nicate point-to-point  (as  in  §12.3.1),  those  similar  to  the  Kerberos  and  Otway-Rees  proto- 
cols involving  a trusted  server  or  key  distribution  center  (§  12.3.2),  and  those  involving  a key 
translation  center  (e.g..  Protocol  13.12).  11770-3  specifies  key  establishment  mechanisms 
based  on  asymmetric  techniques.  These  are  divided  into  key  agreement  protocols,  practi- 
cal instantiations  of  which  are  based  on  Diffie-Hellman  and  similar  techniques  (§12.6.1); 
and  key  transfer  protocols,  which  typically  involve  both  public-key  encryption  and  digital 
signatures  (§12.5.2)  including  adaptations  of  the  random  number  based  ISO/IEC  9798-3 
mechanisms  involving  transfer  of  an  embedded  encrypted  key. 

ISO/IEC  13888:  This  multi -part  (draft)  standard  addresses  non-repudiation  services 
(protection  against  false  denials)  related  to  the  transfer  of  a message  from  an  originator  to 
a recipient.  Mechanisms  are  specified  for  non-repudiation  of  origin  (denial  of  being  the 
originator  of  a message),  non-repudiation  of  delivery  (denial  of  having  received  a mes- 
sage), and  non-repudiation  associated  with  the  actions  of  a third  party  acting  as  a transfer 
agent  on  behalf  of  others.  13888-1  (draft)  provides  a non-repudiation  model  and  overview. 
13888-2  (draft)  specifies  mechanisms  involving  symmetric  techniques  (encipherment  and 
keyed  one-way  functions).  13888-3  (draft)  specifies  mechanisms  involving  asymmetric 
techniques  and  the  use  of  digital  signatures. 

ISO/IEC  14888:  This  multi-part  (draft)  standard  addresses  schemes  for  signature  with 
appendix  (see  §11.2.2  and  ANSI  X9.30-1;  cf.  ISO/IEC  9796).  14888-1  (draft)  provides 
common  definitions  and  a general  overview  including  models  outlining  the  steps  required 
for  signature  generation  and  various  classes  of  verification  processes.  14888-2  (draft)  ad- 
dresses identity-based  signature  mechanisms,  wherein  the  signature  verification  key  is  a 
public  function  of  the  signer’s  identity.  14888-3  (draft)  addresses  certificate -based  mecha- 
nisms, wherein  this  public  key  is  explicitly  specified  and,  for  example,  distributed  by  means 
of  a certificate.  These  may  include  DSA  and  similar  signature  mechanisms  such  as  ElGa- 
mal,  Schnorr  signatures,  and  RSA. 


15.3.2  Banking  security  standards  (ANSI,  ISO) 

This  section  considers  banking  security  standards  developed  by  ANSI  and  by  ISO.  Banking 
security  standards  are  typically  divided  into  wholesale  and  retail  banking  (see  Table  15.5). 
Wholesale  banking  involves  transactions  between  financial  institutions.  Retail  banking  in- 
volves transactions  between  institutions  and  private  individuals,  including  automated  teller 
machine  (ATM)  and  point-of-sale  (POS)  transactions,  and  credit  authorizations. 


category 

transaction  volume 

average  transaction  value 

retail 

wholesale 

high  ( millions  per  day) 
low  (thousands  per  day) 

$50 

$3  million 

Table  15.5:  Retail  vs.  wholesale  banking  characteristics. 


(i)  ANSI  encryption  standards 

The  American  National  Standards  Institute  (ANSI)  develops  standards  through  various  Ac- 
credited Standards  Committees  (ASCs).  Accreditation  implies  that  standards  developed  un- 
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der  a particular  committee  become  ANSI  standards.  Accredited  committees  include  ASC 
X3  - Information  Processing  Systems;  ASC  X9  - Financial  Services;  and  ASC  X12  - Elec- 
tronic Business  Data  Interchange.  Table  15.6  lists  selected  ANSI  encryption  and  banking 
security  standards  developed  under  X3  and  X9. 

ANSI  X3.92:  This  standard  specifies  the  DES  algorithm,  which  ANSI  standards  refer 
to  as  the  Data  Encryption  Algorithm  (DEA).  X3.92  is  technically  the  same  as  FIPS  46. 

ANSI  X3.106:  This  standard  specifies  DES  modes  of  operation,  or  DEA  modes  of  op- 
eration as  referred  to  in  ANSI  standards.  X3. 106  is  technically  the  same  as  FIPS  8 1 (cf.  ISO 
8372).  An  appendix  in  FIPS  81  contains  additional  background  information  on  the  various 
modes. 

(ii)  ANSI  banking  security  standards 

ASC  X9  subcommittee  X9F  develops  information  security  standards  for  the  financial  ser- 
vices industry.  Banking  security  standards  include  cryptographic  and  operational  require- 
ments, with  a heavy  emphasis  on  controls,  audit,  sound  business  practices,  and  interoper- 
ability. Among  the  working  groups  under  X9F,  most  of  the  cryptographic  work  is  in  X9F1 
(public  key  cryptography  and  cryptographic  tools)  and  X9F3  (security  in  wholesale  finan- 
cial telecommunications). 


ANSI# 

Subject 

Ref. 

X3.92 

data  encryption  algorithm  (DEA) 

X3.106 

data  encryption  algorithm  (DEA)  modes 

X9.8 

PIN  management  and  security 

[35] 

X9.9 

message  authentication  (wholesale) 

[36] 

X9.17 

key  management  (wholesale;  symmetric) 

[37] 

X9.19 

message  authentication  (retail) 

[38] 

X9.23 

encryption  of  messages  (wholesale) 

[39] 

X9.24 

key  management  (retail) 

[40] 

X9.26 

sign-on  authentication  (wholesale) 

[41] 

X9.28 

multi -center  key  management  (wholesale) 

[42] 

X9.30-1 

digital  signature  algorithm  (DSA) 

[43] 

X9.30-2 

secure  hash  algorithm  (SHA)  for  DSA 

[44] 

X9.31-1 

RSA  signature  algorithm 

[45] 

X9.31-2 

hashing  algorithms  for  RSA 

[46] 

X9.42 

key  management  using  Diffie-Hellman 

[47] 

X9.45 

attribute  certificates  and  other  controls 

[49] 

X9.52 

triple  DES  and  modes  of  operation 

[50] 

X9.55 

certificate  extensions  (v3)  and  CRLs 

[51] 

X9.57 

certificate  management 

[52] 

Table  15.6:  ANSI  encryption  and  banking  security  standards. 

ANSI  X9.8:  This  standard  addresses  PIN  management  and  security.  It  consists  of  ISO 
9564  reproduced  in  its  entirety,  with  clearly  marked  “X9  Notes”  added  where  required  to 
adapt  the  text  for  use  as  an  ANSI  X9  standard.  A standard  means  for  interchanging  PIN  data 
is  specified.  Annex  A of  9564  (procedures  for  the  approval  of  an  encipherment  algorithm) 
is  included;  the  only  currently  specified  approved  algorithm  is  DES.  Annex  B (general  prin- 
ciples for  key  management)  is  also  retained  from  9564,  but  noted  as  superseded  by  X9.24 
(retail  key  management). 
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ANSI  X9.9:  This  standard  specifies  a DES-based  message  authentication  code  (MAC) 
algorithm  for  wholesale  banking  as  summarized  below  (cf.  X9.19  for  retail  banking).  If 
data  is  protected  by  both  authentication  and  encryption  mechanisms,  a different  key  is  re- 
quired for  each  purpose.  Message  replay  is  precluded  by  use  of  date  and  message  identifier 
fields.  Appendix  B includes  sample  MAC  computations.  X9.9  requires  key  management 
in  accordance  with  ANSI  X9. 17,  and  also  addresses  implementation  issues  including  coded 
character  sets  and  representations,  field  delimiters,  and  message  normalization  (e.g.,  replac- 
ing carriage  returns  or  line  feeds  by  space  characters,  and  multiple  spaces  by  single  spaces), 
and  notes  other  practical  concerns  such  as  escape  sequences  beyond  the  scope  of  a MAC 
causing  over-writing  of  authenticated  data  fields  on  display  devices. 

The  X9.9  MAC  algorithm  may  be  implemented  using  either  the  cipher-block  chaining 
(CBC)  or  64-bit  cipher  feedback  (CFB-64)  mode,  initialized  to  produce  the  same  result  (see 
Note  15.1).  Final  data  blocks  with  fewer  than  64  bits  are  left -justified  and  zero-bits  are 
appended  to  complete  the  block  before  processing.  The  MAC  result  is  specified  to  be  the 
leftmost  32  bits  of  the  final  DES  output.  X9.9  states  that  the  capability  to  generate  48-bit 
and  64-bit  MAC  values  should  also  exist. 

15.1  Note  ( CBC-MAC  and  equivalent  CFB-64  MAC)  For  data  blocks  D\. . . . ,Dt  and  a fixed 
MAC  key  K , equivalent  MACs  may  be  generated  using  either  the  CBC  or  64-bit  ci- 
pher feedback  (CFB-64)  modes.  In  the  CBC  case,  the  MAC  Ct  is  defined  by  C,  = 
EK(Di®Ci- 1)  for  1 < i < t and  Co  = IV  = 0.  For  the  CFB-64  case,  let  O,  = Ex(Ii) 
be  the  output  from  the  block  encryption  at  stage  i for  1 < i < t,  where  i,  = for 

2 < i < t and  Ii  = D\  (the  first  8 data  bytes  serve  as  IV).  Note  Or  = Ct,  from  above.  (A 
block  Dt+ 1 = 0 may  be  introduced  if  the  CFB  implementation  interface  requires  the  final 
output  Ot  be  XORed  to  a data  block  before  release.) 

ANSI  X9.17:  This  standard,  which  was  the  basis  for  ISO  8732,  specifies  manual  and 
automated  methods  (symmetric-based)  for  wholesale  banking  key  management,  including 
key  establishment  techniques  and  protection  of  keys  in  key  management  facilities.  A key 
management  hierarchy  is  defined  consisting  of  manually-distributed  key-encrypting  keys, 
electronically-distributed  key-encrypting  keys,  and  electronically-distributed  data  or  trans- 
action keys  for  authentication  or  encryption.  Key  management  techniques  include  the  use  of 
key  counters,  key  offsetting,  and  key  notarization.  Key  establishment  settings  include  direct 
exchange  between  two  nodes  (point-to-point),  and  both  key  distribution  centers  ( KDCs)  and 
key  translation  centers  (KTCs). 

ANSI  X9.19:  This  standard  specifies  a DES-based  message  authentication  code 
(MAC)  algorithm  for  retail  banking  (cf.  X9.9  for  wholesale  banking).  Implementation  and 
other  issues  are  addressed  as  per  X9.9,  and  the  MAC  algorithm  itself  is  essentially  the  same 
as  X9.9,  differing  in  that  the  MAC  result  is  the  leftmost  m bits  of  the  final  64-bit  output, 
where  m is  to  be  specified  by  the  application.  An  optional  X9.19  procedure  using  a sec- 
ond key  K'  is  specified  for  increased  protection  against  exhaustive  key  determination:  the 
(previously)  final  output  is  decrypted  using  K'  and  then  re-encrypted  under  the  original  key. 
The  resulting  algorithm  is  widely  referred  to  as  the  retail  MAC ; see  Figure  9.6. 

ANSI  X9.23:  This  standard  addresses  message  formatting  and  representation  issues  re- 
lated to  the  use  of  DES  encryption  in  wholesale  banking  transactions.  These  include  field 
delimiting  and  padding,  as  well  as  filtering  methods  required  to  prevent  ciphertext  bit  se- 
quences from  interfering  with  communications  protocols  when  inadvertently  interpreted  as 
control  characters  (e.g.,  end-of- transmission). 

ANSI  X9.24:  This  standard,  which  motivated  ISO  11568,  specifies  manual  and  au- 
tomated methods  for  retail  key  management,  addressing  authentication  and  (DES-based) 
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encryption  of  PINs,  keys,  and  other  data.  Guidelines  include  protection  requirements  at 
various  stages  in  the  key  management  life  cycle.  Appendices  provide  additional  informa- 
tion, including  (Appendix  D)  methods  providing  unique  per-transaction  keys,  updated  af- 
ter each  transaction  as  a one-way  function  of  the  current  key  and  transaction-specific  de- 
tails; and  (Appendix  E)  how  to  derive  a large  number  of  different  terminal  keys  (for  dis- 
tinct terminals)  from  a common  base  key,  simplifying  key  management  for  servers  which 
must  communicate  with  all  terminals.  Such  derived  keys  may  be  combined  with  the  unique 
per-transaction  key  methods. 

ANSI  X9.26:  This  standard  specifies  two  main  classes  of  entity  authentication  mech- 
anisms of  use  for  access  control.  The  first  involves  user  passwords.  The  second  involves 
cryptographic  keys  used  in  DES-based  challenge-response  protocols  (e.g.,  a time-variant 
parameter  challenge  must  be  ECB -encrypted).  The  latter  class  is  subdivided,  on  the  basis 
of  granularity,  into  user-unique  and  node-unique  keys. 

ANSI  X9.28:  This  standard  extends  X9. 17  to  allow  the  distribution  of  keying  material 
(using  X9.17  protocols)  between  entities  (subscriber  nodes)  which  neither  share  a common 
key,  nor  share  a key  with  a common  central  server  ( KDC  or  KTC).  Two  or  more  key  centers 
form  a multiple-center  group  to  provide  a more  general  key  distribution  service  allowing 
the  establishment  of  keying  material  between  any  two  subscribers  sharing  a key  with  at  least 
one  center  in  the  group.  As  there  are  no  known  or  proposed  implementations  of  this  stan- 
dard, it  appears  destined  to  be  withdrawn  from  the  ANSI  suite. 

ANSI  X9.30:  The  first  in  a suite  of  ANSI  public-key  standards,  X9.30-1  and  X9.30-2 
specify  DSA  and  SHA  for  the  financial  services  industry,  as  per  FIPS  186  and  FIPS  180, 
respectively. 

ANSI  X9.31:  The  (draft)  standard  X9.31-1  parallels  X9.30-1,  and  specifies  a signature 
mechanism  based  on  an  RSA  signature  algorithm,  more  specifically  the  ISO/IEC  9796  vari- 
ant combined  with  a hashing  algorithm.  The  (draft)  standard  X9.31-2  defines  hash  func- 
tions for  use  with  Part  1,  including  MDC-2. 

ANSI  X9.42:  This  (draft)  standard  specifies  several  variations  of  unauthenticated 
Diffie-Hellman  key  agreement,  providing  shared  symmetric  keys  for  subsequent  crypto- 
graphic use. 

ANSI  X9.45:  This  (draft)  standard  employs  a particular  type  of  attribute  certificate 
(§13.4.2)  called  an  authorization  certificate,  and  other  techniques  from  ANSI  X9.57,  to  al- 
low a party  to  determine  whether  a received  message  or  signed  document  is  authorized  with 
respect  to  relevant  rules  or  limits,  e.g.,  as  specified  in  the  authorization  certificate. 

ANSI  X9.52:  This  (draft)  standard  for  encryption  offers  improvements  over  DES  se- 
curity by  specifying  a number  of  modes  of  operation  for  triple-DES  encryption,  including 
the  four  basic  modes  of  ISO  8372,  enhanced  modes  intended  to  provide  additional  protec- 
tion against  advanced  cryptanalytic  attacks,  and  message-interleaved  and  pipelined  modes 
intended  to  allow  increased  throughput  in  multi-processor  systems. 

ANSI  X9.55:  This  (draft)  standard  specifies  extensions  to  the  certificate  definitions 
of  ANSI  X9.57  corresponding  to,  and  aligned  with,  ISO  certificate  extensions  for  ITU-T 
X.509  Version  3 certificates  (see  page  660). 

ANSI  X9.57:  This  (draft)  certificate  management  standard  includes  both  technical 
specifications  defining  public-key  certificates  (based  on  ITU-T  X.509)  for  electronic  com- 
merce, and  business  controls  necessary  to  employ  this  technology.  The  initial  version  is 
defined  for  use  with  DSA  certificates,  in  conjunction  with  ANSI  X9.30-1. 

(iii)  ISO  banking  security  standards 

ISO  banking  security  standards  are  developed  under  the  ISO  technical  committee  TC68  - 
Banking  and  Related  Financial  Services.  TC68  subcommittees  include  TC68/SC2  (whole- 
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sale  banking  security)  and  TC68/SC6  (retail  banking  security  and  smart  card  security).  Ta- 
ble 15.7  lists  selected  ISO  banking  security  standards. 


ISO# 

Subject 

Ref. 

8730 

message  authentication  - requirements  ( W) 

[575] 

8731-1 

message  authentication  - CBC-MAC 

[576] 

8731-2 

message  authentication  - MAA 

[577] 

8732 

key  management/symmetric  ( W) 

[578] 

9564 

PIN  management  and  security 

[579] 

9807 

message  authentication  - requirements  (R) 

[581] 

10126 

message  encipherment  ( W) 

[582] 

10202-7 

key  management  for  smart  cards 

[584] 

11131 

sign-on  authentication 

[585] 

11166-1 

key  management/asymmetric  - overview 

[586] 

11166-2 

key  management  using  RSA 

[587] 

11568 

key  management  (R),  in  6 parts 

[588] 

Table  15.7:  ISO  banking  security  standards  ( W-whotesale ; R-retail). 

ISO  8730:  Together  with  ISO  8731,  this  wholesale  banking  standard  for  message 
authentication  code  (MAC)  algorithms  forms  the  international  equivalent  of  ANSI  X9.9. 
ISO  8730  is  algorithm-independent,  and  specifies  methods  and  requirements  for  the  use  of 
MACs  including  data  formatting  and  representation  issues,  and  a method  by  which  specific 
algorithms  are  to  be  approved. 

ISO  8731:  ISO  8731-1  and  8731-2  specify  particular  MAC  algorithms  complemen- 
tary to  the  companion  standard  ISO  8730.  8731-1  specifies  a DES-based  CBC-MAC  with 
m = 32  (cf.  ISO/IEC9797).  8731-2  specifies  the  Message  Authenticator  Algorithm,  MAA 
(Algorithm  9.68). 

ISO  8732:  This  standard  for  key  management  in  wholesale  banking  was  derived  from 
ANSI  X9.17,  and  is  its  international  equivalent. 

ISO  9564:  This  standard,  used  as  the  basis  for  ANSI  X9.8,  specifies  minimum  mea- 
sures for  the  management  and  security  of  Personal  Identification  Numbers  (PINs).  Part  1 
specifies  principles  and  techniques  to  protect  against  disclosure  of  PINs  to  unauthorized  par- 
ties during  the  PIN  life  cycle.  Part  2 specifies  encipherment  algorithms  approved  to  protect 
PINs. 

ISO  9807:  This  standard  for  message  authentication  in  retail  banking  is  analogous  to 
ANSI  X9.19  (cf.  ISO  8730/8731-1  vs.  ANSI  X9.9),  but  does  not  address  data  representa- 
tion issues,  and  names  two  approved  algorithms  in  Annex  A - the  CBC-MAC  of  8731-1 
(allowing  optional  final  processing  as  per  X9.19),  and  the  MAA  of  8731-2. 

ISO  10126:  This  multi-part  standard  is  the  international  equivalent  of  X9.23  address- 
ing confidentiality  protection  of  (parts  of)  financial  messages.  ISO  10126-1  provides  gen- 
eral principles;  10126-2  defines  a specific  algorithm  - DES. 

ISO  10202:  This  eight-part  standard  addresses  security  architecture  issues  for  inte- 
grated circuit  cards  (chipcards)  used  for  financial  transactions.  In  particular,  ISO  10202-7 
specifies  key  management  aspects. 

ISO  11131:  This  standard  for  sign-on  authentication  is  the  international  (non-DES  spe- 
cific) analogue  of  ANSI  X9.26. 

ISO  11166:  This  multi -part  standard  for  banking  key  management  specifies  asymmet- 
ric techniques  for  distributing  keys  for  symmetric  algorithms.  It  was  developed  from  ISO 
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8732,  which  uses  symmetric  techniques  only.  Part  1 specifies  general  principles,  proce- 
dures, and  formats,  including  background  regarding  key  protection  during  its  life  cycle,  cer- 
tification of  keying  material,  key  distribution  by  either  key  exchange  (e.g.,  Diffie-Hellman) 
or  key  transport,  and  cryptographic  service  messages.  Further  parts  are  intended  to  define 
approved  algorithms  for  use  with  the  procedures  of  Part  1 . Part  2 specifies  the  RS  A al- 
gorithm for  both  encipherment  and  digital  signatures;  RSA  formatting  differs  from  both 
ISO/IEC  9796  and  PKCS  #1. 

ISO  11568:  This  multi -part  standard  addresses  retail  key  management  and  life  cycle 
issues.  It  originated  from  X9.24,  but  is  generalized  for  international  use  (e.g.,  it  is  no  longer 
DES-specific),  and  addresses  both  symmetric  and  public-key  techniques. 


15.3.3  International  security  architectures  and  frameworks 

Table  15.8  lists  selected  ISO  standards  on  security  frameworks  and  architectures.  Some  of 
these  are  developed  by  SC21  (ISO/IEC  ITC  1 SC21),  which  includes  activities  on  Open 
Systems  Interconnection  (OSI)  projects.  The  International  Telecommunication  Union 
(ITU)  develops  common-text  specifications  with  JTC  1 for  some  standards  in  this  area. 


ISO# 

Subject 

Ref. 

7498-2 

OSI  security  architecture 

[573] 

9594-8 

authentication  framework  (X.509) 

[595] 

10181 

OSI  security  frameworks 

[609] 

Table  15.8:  ISO  and  ISO/IEC  security  architectures  and  frameworks. 

ISO  7498-2  (X.800):  The  OSI  basic  reference  model  of  ISO  7498  defines  a commu- 
nications protocol  stack  with  seven  layers:  application  (layer  7),  presentation  (6),  session 

(5) ,  transport  (4),  network  (3),  data-link  (2),  and  physical  layers  (1).  ISO  7498-2  specifies 
the  security  architecture  for  the  basic  reference  model,  including  the  placement  of  secu- 
rity services  and  mechanisms  within  these  layers.  It  also  provides  a general  description  of 
the  basic  OSI  security  services:  authentication  (peer-entity  and  data-origin);  access  con- 
trol; data  confidentiality;  data  integrity;  and  non-repudiation  (with  proof  of  origin,  or  with 
proof  of  delivery).  Specific  mechanisms  are  used  to  implement  these  services;  for  example, 
encipherment  is  a mechanism  for  providing  confidentiality. 

ISO/IEC  9594-8  (X.509):  This  standard  is  the  same  as  ITU-T  (formerly  CCITT)  Rec- 
ommendation X. 509.  It  defines  both  simple  authentication  techniques  (based  on  passwords) 
and  so-called  strong  authentication  techniques  (wherein  secret  values  themselves  are  not 
revealed  to  the  verifier).  The  strong  techniques  included  are  the  two-pass  and  three -pass 
X.509  exchanges  (see  §12.5.2)  based  on  digital  signatures  and  the  use  of  time-variant  pa- 
rameters. An  implicit  assumption  is  the  use  of  an  algorithm  such  as  RSA  which  may  serve 
as  both  an  encryption  and  a signature  mechanism;  the  specification  may,  however,  be  modi- 
fied (e.g.,  to  use  DSA).  The  standard  also  specifies  techniques,  including  X.509  certificates, 
for  acquiring  or  distributing  authentic  public  keys;  and  addresses  cross-certificates,  and  the 
use  of  certificate  chains  (§13.6.2(i)). 

ISO/IEC  10181  (X.810  through  X.816):  This  specification  is  a series  of  security 
frameworks  intended  to  provide  context  and  background,  consisting  of  the  following  parts: 
security  frameworks  overview  ( 1 ) ; authentication  framework  (2) ; acces  s control  framework 
(3);  non-repudiation  framework  (4);  confidentiality  framework  (5);  integrity  framework 

(6) ;  security  audit  and  alarms  framework  (7). 
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15.3.4  U.S.  government  standards  (FIPS) 

Table  15.9  lists  selected  security-related  Federal  Information  Processing  Standards  (FIPS) 
publications.  These  are  developed  under  the  National  Institute  of  Standards  and  Technology 
(NIST),  for  use  by  U.S.  federal  government  departments. 


FIPS# 

Subject 

Ref. 

FIPS  46-2 

DES 

[396] 

FIPS  74 

guidelines  for  using  DES 

[397] 

FIPS  81 

DES  modes  of  operation 

[398] 

FIPS  112 

password  usage 

[399] 

FIPS  113 

data  authentication  (CBC-MAC) 

[400] 

FIPS  140-1 

cryptomodule  security  requirements 

[401] 

FIPS  171 

key  management  using  X9. 17 

[402] 

FIPS  180-1 

secure  hash  standard  (SHA-1) 

[404] 

FIPS  185 

key  escrow  (Clipper  & SKIPJACK) 

[405] 

FIPS  186 

digital  signature  standard  (DSA) 

[406] 

FIPS  196 

entity  authentication  (asymmetric) 

[407] 

Table  15.9:  Selected  security-related  U.S.  FIPS  Publications. 

FIPS  46:  This  standard  specifies  the  DES  algorithm  (cf.  ANSI  X3.92). 

FIPS  74:  This  standard  provides  guidelines  for  implementing  and  using  DES. 

FIPS  81:  This  standard  specifies  4 basic  DES  modes  of  operation  (cf.  ANSI  X3.106). 

FIPS  112:  This  standard  provides  guidelines  on  password  management  and  usage. 

FIPS  113:  This  standard  specifies  the  customary  DES-based  CBC-MAC  algorithm 
(see  ISO/IEC  9797),  referring  to  it  as  the  Data  Authentication  Algorithm  (DAA).  The  MAC 
result  is  called  a Data  Authentication  Code  ( DAC).  The  last  data  bock,  if  incomplete,  is  left- 
justified  and  zero-padded  before  processing;  the  result  is  the  leftmost  m output  bits,  where 
m is  a multiple  of  8,  and  16  < m < 64.  Implementation  may  be  either  by  the  CBC  mode 
with  IV  = 0,  or  CFB-64  mode  with  IV  = D\,  the  first  data  block  (see  Note  15.1).  7-bit 
ASCII-coded  data  to  be  authenticated  by  the  DAA  is  preprocessed  into  8-bit  characters  with 
leading  bit  0. 

FIPS  140-1:  This  standard  specifies  security  requirements  for  the  design  and  imple- 
mentation of  cryptographic  modules  for  protecting  (U.S.  government)  unclassified  infor- 
mation, including  hardware,  firmware,  software  modules,  and  combinations  thereof.  Four 
grades  of  increasing  security  are  specified  as  Levels  1 through  4,  covering  a wide  range  of 
security  applications  and  environments.  A FIPS  140-1  validation  program  is  run  by  NIST 
to  determine  if  cryptomodules  meet  the  stated  requirements. 

FIPS  171:  FIPS  171  specifies,  for  use  by  (U.S.)  federal  government  departments,  a 
subset  of  the  key  distribution  techniques  of  ANSI  X9.17.  The  objective  of  specifying  a 
subset  is  to  increase  interoperability  and  decrease  system  costs. 

FIPS  180  and  180-1:  The  hash  algorithm  specified  in  the  original  standard  FIPS  180 
is  the  Secure  Hash  Algorithm,  SHA.  A revised  version  was  specified  shortly  thereafter  in 
FIPS  180-1  (Algorithm  9.53),  and  denoted  SHA-1.  SHA-1  differs  from  SHA  as  noted  in 
§9.8. 

FIPS  185:  This  Escrowed  Encryption  Standard  (EES)  specifies  the  parameters  and  use 
of  the  SKIPJACK  symmetric-key  block  cipher,  and  a method  of  creating  Law  Enforcement 
Access  Fields  (LEAFs)  for  use  with  the  Clipper  key  escrow  system  (§13.8.3).  The  purpose 
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is  to  allow  wiretapping  under  lawful  authorization.  Internal  details  of  the  SKIPJACK  algo- 
rithm are  not  publicly  available,  although  its  interface  specification  is  (§13.8.3(i)). 

FIPS  186:  This  standard  is  the  Digital  Signature  Standard  (DSS),  which  specifies  the 
Digital  Signature  Algorithm  (DSA).  The  hash  function  originally  mandated  for  use  with 
DSA  is  defined  in  FIPS  180  (SHA),  which  was  superseded  by  FIPS  180-1  (SHA-1). 

FIPS  196:  This  standard  on  entity  authentication  using  asymmetric  techniques  was 
derived  from  the  two-pass  and  three -pass  random-number  based  mechanisms  of  ISO/IEC 
9798-3.  It  includes  additional  expository  and  implementation  details. 


15.3.5  Internet  standards  and  RFCs 

Documents  called  Requests  for  Comments  (RFCs)  are  official  working  notes  of  the  Inter- 
net research  and  development  community.  A subset  of  these  are  specifications  which  are 
candidates  for  standardization  within  the  community  as  Internet  Standards. 

The  Internet  Engineering  Steering  Group  (IESG)  of  the  Internet  Engineering  Task 
Force  (IETF)  is  responsible  for  making  recommendations  regarding  progression  of 
“standards-track”  specifications  from  Proposed  Standard  (PS)  to  Draft  Standard  (DS)  to 
Standard  (STD).  RFCs  may  also  correspond  to  the  following  types  of  documents:  Experi- 
mental (E)  protocols  which  may  be  part  of  early  research  efforts;  Informational  (I)  protocols 
published  for  convenience  of  the  community;  and  Historical  ( H)  protocols  which  have  been 
superseded,  expired,  or  abandoned. 

The  E,  I,  and  H categories  are  not  on  the  standards  track,  and  the  IESG  does  not 
make  recommendations  on  these.  Less  mature,  less  stable,  or  less  widely  circulated  doc- 
uments are  typically  available  as  an  Internet-Draft  (I-D);  these  are  considered  to  be  “work 
in  progress”,  and  should  be  cited  as  such. 


RFC 

Status 

Subject 

Ref. 

1319 

I 

MD2  hash  function 

[1033] 

1320 

I 

MD4  hash  function 

[1034] 

1321 

I 

MD5  hash  function 

[1035] 

1421 

PS 

PEM  - encryption,  authentication 

[1036] 

1422 

PS 

PEM  - certificates,  key  management 

[1037] 

1423 

PS 

PEM  - algorithms,  modes,  identifiers 

[1038] 

1424 

PS 

PEM  - key  certification  and  services 

[1039] 

1508 

PS 

Generic  Security  Service  API  (GSS-API) 

[1040] 

1510 

PS 

Kerberos  V5  network  authentication 

[1041] 

1828 

PS 

keyed  MD5  (as  a MAC) 

[1044] 

1847 

PS 

security  multiparts  for  MIME 

[1045] 

1848 

PS 

MIME  Object  Security  Services  (MOSS) 

[1046] 

1938 

PS 

one-time  password  system 

[1047] 

Table  15.10:  Selected  Internet  RFCs  (May  1996  status). 

Table  15.10  lists  selected  security-related  Internet  RFCs.  The  hashing  algorithms 
MD2,  MD4,  andMD5  are  specified  in  RFCs  13 19- 1321,  respectively.  The  Internet  Privacy- 
Enhanced  Mail  (PEM)  specifications  are  given  in  RFCs  1421-1424. 

The  Generic  Security  Service  Application  Program  Interface  (GSS-API)  of  RFC  1508 
is  a high-level  security  API  which  isolates  application  code  from  implementation  details; 
for  example,  the  interface  provides  functions  such  as  sign  and  seal  (e.g.,  as  opposed  to 
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“seal  using  a 32-bit  DES  CBC-MAC  and  this  particular  key”).  Specific  implementation 
mechanisms  must  be  provided  beneath  GSS-API;  options  include  Kerberos  V5  as  per  RFC 
1510  for  symmetric-based  techniques,  and  SPKM  for  public-key  based  techniques  (see 
page  661). 

RFC  1828  specifies  a method  for  using  keyed  MD5  as  a MAC  (cf.  §9.5.2).  RFC  1848 
defines  MIME  Object  Security  Services  (MOSS),  where  MIME  denotes  Multipurpose  In- 
ternet Mail  Extensions.  MOSS  makes  use  of  the  RFC  1847  framework  of  multipart/signed 
and  multipart/encrypted  MIME  messages,  and  facilitates  encryption  and  signature  services 
for  MIME  including  key  managementbased  on  asymmetric  techniques.  RFC  1938  specifies 
an  authentication  technique  based  on  Lamport’s  one-time  password  scheme  ( Protocol  10.6). 


15.3.6  De  facto  standards 

Various  security  specifications  arising  through  informal  processes  become  de  facto  stan- 
dards. This  section  mentions  one  such  class  of  specifications:  the  PKCS  suite. 

PKCS  specifications 

A suite  of  specifications  called  The  Public-Key  Cryptography  Standards  (PKCS)  has  parts 
as  listed  in  Table  15.11.  The  original  PKCS  #2  and  PKCS  #4  have  been  incorporated  into 
PKCS  #1 . PKCS  #1 1 is  referred  to  as  CRYPTO KI. 


No. 

PKCS  title 

1 

RSA  encryption  standard 

3 

Diffie-Hellman  key-agreement  standard 

5 

Password-based  encryption  standard 

6 

Extended-certificate  syntax  standard 

7 

Cryptographic  message  syntax  standard 

8 

Private-key  information  syntax  standard 

9 

Selected  attribute  types 

Certification  request  syntax  standard 

Cryptographic  token  interface  standard 

Table  15.11 : PKCS  specifications. 


15.3.7  Ordering  and  acquiring  standards 

ISO  and  ISO/IEC  standards  may  be  obtained  from  (member  body)  national  standards  orga- 
nizations such  as  ANSI,  the  British  Standards  Institution  (BSI),  and  the  Standards  Council 
of  Canada  (SCC).  To  purchase  standards  directly  from  ISO,  contact  ISO  Central  Secretariat, 
Case  postale  56,  CH-1211  Geneva  20,  Switzerland;  telephone  +41.22.749.01.1 1. 

ANSI  X9  standards  are  published  by  EDI  Support  Services  Incorporated;  to  purchase 
standards,  telephone  1-800-334-4912  (from  within  the  USA)  or  +216-974-7650  (from  out- 
side the  USA). 

FIPS  PUBS  may  be  purchased  from  the  National  Technical  Information  Service,  U.S. 
Department  of  Commerce,  5285  Port  Royal  Road,  Springfield,  Virginia  22161  (USA);  tele- 
phone +703-487-4650,  fax  +703-321-8547.  To  obtain  copies  of  specifications  of  proposed 
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(draft  ) FIPS,  contact  the  Standards  Processing  Coordinator,  National  Institute  of  Standards 
and  Technology,  Technology  Building,  Room  B-64,  Gaithersburg,  Maryland  20899 
(USA);  telephone  +301-975-2816.  Alternatively,  consult  URL  http  : / / csrc  . ncsl . 
nist . gov/. 

Internet  RFCs  and  Internet-Drafts  are  available  on-line  via  anonymous  FTP  from 
numerous  ftp  sites  (e.g.,  ds.internic.net);  further  information  can  be  obtained 
by  sending  an  email  message  to  rfc-infoQisi  .edu  with  the  message  body  “help: 
ways_to_get_rfcs”.  RFCs  are  typically  under  the  directory  rf  c/  as  rf  cXXXX . txt  (e.g. 
rfcl321.txt),  and  an  RFC  index  is  available  as  rf  c-index  . txt.  RFCs  can  also  be  ob- 
tained via  electronic  mail  by  sending  an  email  message  to  rf  c-info0isi  . edu  whose 
body  includes  “Retrieve;  RFC”  and  “Doc-ID:  RFCnnnn”  on  separate  lines. 

The  PKCS  suite  is  published  by  RSA  Laboratories,  100  Marine  Parkway,  Suite  500, 
Redwood  City,  California  94065-1031  (telephone  +415-595-7703),  and  is  available  by 
anonymous  FTP  from  rsa  . com  under  the  directory  pub/pkcs/. 
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Levine  [762]  compiled  a comprehensive  list  of  American  cryptographic  patents  issued  be- 
tween 1861  and  1981,  citing  patent  number,  name  of  principal  inventor,  date  granted,  and 
patent  title;  this  provides  an  insightful  perspective  of  the  history  of  cryptography  over  this 
period.  Kahn  [648]  discusses  many  patents  in  his  historical  tour,  including  many  related 
to  rotor  machines  (cf.  Chapter  7).  Contact  information  regarding  the  current  assignees  of 
some  cryptographic  patents  may  be  found  throughout  the  book  of  Schneier  [1094], 

Davies  and  Price  [308]  provide  both  general  discussion  of  standards,  and  detailed  techni- 
cal discussion  of  selected  standards.  Preneel  [1001]  gives  background  on  worldwide,  Eu- 
ropean, and  North  American  standardization  organizations,  and  an  overview  of  activities 
therein.  Ford  [414]  provides  a comprehensive  overview  of  information  security  standards 
including  extensive  background  information  on  various  standardization  processes  and  or- 
ganizations, including  technical  committees  ISO  TC  68  and  ISO/IEC  JTC  1 and  their  sub- 
committees; ITU;  ANSI;  and  national,  regional,  and  international  standardization  bodies. 
For  a more  recent  overview  of  security  standards  for  open  systems,  see  Fumy  and  Rieten- 
spiess  [432].  A status  update  of  selected  standards  is  also  provided  by  Ford  [415]. 

§15.2 

One  of  the  earliest  and  most  important  cryptographic  patents  was  U.S . Patent  No.  1,3 10,719 
[1221]  issued  to  Vernam  on  July  22  1919  for  the  Vernam  cipher  (cf.  the  one-time  pad.  Chap- 
ter 7 ; see  also  Kahn  [648,  p.401  ]).  Two  other  patents  by  Vernam,  titled  “Ciphering  device”, 
were  granted  May  23  1922  (1,416,765)  and  January  8 1924  (1,479,846). 

In  consideration  of  ANSI  making  DES  a standard,  IBM  made  the  DES  patent  of  Ehrsam 
et  al.  (3,962,539)  [363]  available  free  of  license  fees  in  the  U.S.  when  used  to  implement 
ANSI  standards. 

The  first  widespread  published  disclosure  of  public-key  cryptography  was  through  the  con- 
ference paper  of  Diffie  and  Heilman  [344],  presented  June  8 1976,  fifteen  months  prior  to 
the  filing  of  the  Hellman-Diffie-Merkle  patent  [551].  Merkle  independently  conceived  the 
idea  of  deriving  a secret  key  over  a public  channel  in  1974  (see  §12.10);  his  paper  [849], 
first  submitted  to  Communications  of  the  ACM  in  1975,  was  rejected  several  times  before  fi- 
nal publication  in  1978.  Meanwhile,  the  1976  Diffie-Hellman  conference  paper  introduced 
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the  concept  of  a digital  signature  as  well  as  public-key  cryptography  and  public-key  au- 
thentication. Although  Diffie  and  Heilman  noted:  “At  present  we  have  neither  a proof  that 
public  key  systems  exist,  nor  a demonstration  system”,  the  existence  of  public-key  systems 
was  postulated,  and  three  suggestions  were  offered  supporting  the  general  idea.  The  first 
involved  matrix  inversion,  which  is  more  difficult  than  multiplication  by  a factor  0(n)  for 
nxn  matrices;  this  offers  a degree  of  security  for  very  large  n.  The  second  involved  compil- 
ing a function  described  in  a high-level  language  into  machine  code;  this  makes  it  difficult 
to  recover  the  original  function.  The  third  suggestion  involved  obscuring  the  input-output 
relationships  between,  e.g.,  100  input  and  100  output  bits  (wires)  in  an  invertible  hardware 
circuit  originally  implementing  the  identity  mapping,  by,  e.g.,  inserting  4-by-4  bit  invert- 
ible S-boxes  into  randomly  selected  sets  of  4 wires;  re-arranging  the  particular  mappings 
of  input  lines  into  S-boxes  then  makes  inverting  the  resulting  circuit  difficult. 

The  Hellman-Merkle  patent  [553]  was  filed  sixteen  months  after  the  above  Diffie-Hellman 
conference  paper  was  presented.  A major  reason  why  the  RSA  patent  [1059]  took  almost  6 
years  from  application  filing  to  issue  date  was  so-called  interference  proceedings  between 
it  and  some  of  the  Stanford  patents.  The  subject  of  the  authentication  trees  patent  of  Merkle 
[848]  is  discussed  in  his  thesis  [851,  p.  126- 131]  and  in  the  open  literature  [852,  853]. 

The  signature  technique  of  the  ESIGN  patent  [952]  is  discussed  in  the  literature  by  Okamoto 
[948];  see  also  Fujioka,  Okamoto,  and  Miyaguchi  [428],  The  identification  and  signature 
technique  of  the  Shamir-Fiat  patent  [1118]  is  described  by  Fiat  and  Shamir  [395] . Regard- 
ing the  Guillou-Quisquater  patent  [523],  see  Guillou  and  Quisquater  [524],  The  identifi- 
cation and  signature  schemes  patented  by  Schnorr  [1095]  are  discussed  in  the  literature  by 
Schnorr  [1097,  1098];  the  preprocessing  scheme  proposed  therein,  however,  was  shown  to 
be  insecure  by  de  Rooij  [314,  315], 

In  its  announcement  of  the  proposed  FIPS  forDSS  (Federal  Registers  ol.56  no.  169,  August 
30  1991,  42980-42982),  NIST  noted  its  intent  to  make  the  DSA  patent  of  Kravitz  [711] 
available  world-wide  on  a royalty-free  basis.  In  a letter  to  the  Director  of  the  Computer 
System  Faboratories  at  NIST  dated  October  30  1991,  Schnorr  stated  that  DSA  infringed  on 
Claim  6 of  his  patent  (4,995,082).  FIPS  186  itself  (1994)  states  that  “The  Department  of 
Commerce  is  not  aware  of  any  patents  that  would  be  infringed  by  this  standard”. 

MDC-2  and  MDC-4  [184]  (see  also  Bosselaers  and  Preneel  [178])  are  discussed  in  §9.4.1. 
For  further  discussion  of  FEAF  [1125],  see  §7.5.  A patent  on  IDEA  was  originally  filed 
in  Switzerland  and  subsequently  as  a European  patent  [790],  prior  to  being  filed  as  a U.S. 
patent  [791];  for  literature  references,  see  Chapter  7. 

Related  to  the  Matyas-Meyer-Brachtl  patent  [806]  on  control  vectors,  the  October  7 1980 
patent  of  Ehrsam  et  al.  (4,227,253),  “Cryptographic  communication  security  for  multiple 
domain  networks”,  describes  use  of  a master  key  and  two  variants  obtained  by  inverting 
designated  bits  of  the  master  key,  equivalent  to  an  XOR  of  the  master  with  fixed  mask  val- 
ues. Also  related  is  the  key  notarization  method  of  the  patent  by  Smid  and  Branstad  [1154], 
which  controls  which  parties  use  a key,  but  not  the  uses.  The  key  notarization  technique  is 
essentially  identical  - involving  concatenation  of  various  quantities  (user  identities),  which 
are  then  XOR'd  with  a key-encryption  key  - but  control  vectors  have  broader  functionality. 

Fair  cryptosystems  [861,  862]  are  discussed  in  the  literature  by  Micali  [863];  but  see  also 
Kilian  and  Feighton  [671],  who  remark  on  a critical  weakness. 

Interest  in  product  cipher  systems  was  stimulated  by  the  product  ciphers  described  in  Shan- 
non’s 1949  paper  [1121].  Meyer  and  Matyas  [859]  note  that  Fucifer  was  the  name  of  the 
cryptographic  system  in  which  the  product  cipher  of  Feistel’s  patent  (3,798,359)  [385]  was 
implemented,  and  from  which  the  IBM  team  lead  by  Tuchman  derived  DES.  The  1974 
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patent  of  Smith  [1159]  is  also  related  to  Lucifer.  A second  1974  patent  of  Feistel  [386] 
on  a “step  code  ciphering  system”  was  filed  and  issued  with  dates  matching  the  Lucifer  al- 
gorithm patent.  Sorkin  [1165]  states  that  Lucifer  is  the  subject  of  all  three  of  these  patents, 
plus  a fourth:  “Centralized  verification  system”  (3,798,605)  granted  March  19  1974  to  H. 
Feistel.  Feistel  gives  a high-level  background  discussion  on  a first  variation  of  Lucifer  in 
his  1973  Scientific  American  article  [387],  which  appeared  prior  to  his  1974  patents  being 
issued.  A description  of  the  second  variation  of  Lucifer  (which  lead  to  the  design  of  DES) 
is  given  by  Sorkin  [1165];  see  also  Biham  and  Shamir  [138] 

Related  to  the  Massey-Omura  [792]  and  Omura-Massey  [956]  patents  is  that  of  Onyszchuk, 
Mullin,  and  Vanstone  [959].  It  was  filed  May  30  1985  and  issued  May  17  1988  with  no  as- 
signee listed.  The  patent  teaches  the  construction  of  a multiplier  for  elements  i n F , stated 
to  be  a significant  improvement  over  the  method  of  Omura-Massey.  The  patent  also  tabu- 
lates those  values  m,  2 < m < 2493,  for  which  so-called  optimal  normal  bases  exist;  in 
these  fields,  the  disclosed  normal-basis  multipliers  for  F 2 m are  more  efficient  than  in  oth- 
ers. Shamir’s  three -pass  protocol  was  first  proposed  by  Shamir,  as  indicated  by  Konheim 
[705].  Massey  [786]  notes  that  Shamir  also  specifically  proposed  implementing  the  three- 
pass  protocol  using  exponentiation  as  the  ciphering  operation,  an  idea  later  independently 
proposed  by  Omura  (cf.  §12.3  notes  on  page  535). 

In  contrast  to  the  prime  generation  methods  of  Shawe-Taylor  and  Maurer  (§4.4.4)  which 
result  in  guaranteed  primes,  the  prime  generation  method  of  the  Hellman-Bach  patent  [550] 
uses  probabilistic  primality  tests,  and  is  related  to  that  presented  by  Gordon  at  Eurocrypt  in 
April  of  1984  [514],  and  which  appeared  (dated  April  26  1984)  in  the  June  7 1984  issue 
(vol.20  no. 12)  of  Electronics  Letters  [513], 

The  protocol  patented  by  Goss  [519],  filed  April  17  1989,  combines  exponentials  by 
an  XOR  operation.  An  essentially  identical  protocol  published  in  1986  by  Matsumoto, 
Takashima,  and  Imai  [800]  uses  modular  multiplication  (cf.  Protocol  12.53). 

The  exponentiation  cipher  of  the  Hellman-Pohlig  patent  [554]  is  discussed  in  the  literature 
by  Pohlig  and  Heilman  [982].  The  ciphers  Khufu  and  Khafre  [847]  are  similarly  discussed 
by  Merkle  [856];  on-line/off-line  digital  signatures  [864]  by  Even,  Goldreich,  and  Micali 
[377,  378];  and  the  techniques  of  the  patent  on  efficient  exponentiation  [203]  are  presented 
by  Brickell  et  al.  [204]  (for  more  recent  work,  see  Hong,  Oh,  and  Yoon  [561]). 

A patent  by  Crandall  (5, 159,632)  [286]  includes  twelve  (12)  claims  on  specific  implementa- 
tions of  elliptic  curves  using  primesp  of  special  form  (e.g.,  p = 2q — C for  C small)  allowing 
fast  multiplication  using  shifts  and  adds  alone  (cf.  Mohan  and  Adiga,  1985),  and  specific 
use  of  Fast  Fourier  Transforms  (FFT)  for  optimized  modular  multiplication  in  this  case.  The 
patent,  filed  September  17  1991,  was  issued  October  27  1992  and  assigned  to  NeXT  Com- 
puter, Inc.  (Redwood  City,  California);  see  also  its  continuation-in-part,  (5,271,061)  [287]. 
Another  patent  in  this  area  is  the  Miyaji-Tatebayashi  patent  (5,272,755)  [888]  filed  June  26 
1992,  with  priority  data  June  28  1991  (Japanese  patent  office).  Issued  December  21  1993, 
and  assigned  to  the  Matsushita  Electric  Industrial  Co.  (Osaka),  it  contains  six  (6)  claims  in 
the  area  of  selecting  elliptic  curves  over  Fp  whose  order  is  precisely  p.  This  covers  a small 
subset  of  possible  curves  of  this  order  over  Fp,  and  one  particular  method  for  selecting  from 
among  these;  see  also  its  continuation-in-part,  (5,351,297)  [889]. 

Regarding  other  block  ciphers  discussed  in  this  book,  a patent  application  has  been  filed 
for  the  RC5  cipher  (§7.7.2).  Adams  [3]  is  the  inventor  for  a patent  on  the  CAST  block 
cipher  design  procedure  (see  p.281);  the  assignee.  Northern  Telecom  Limited  (Montreal), 
will,  however,  make  a CAST  cipher  available  free  of  license  fees. 

The  SEAL  stream  cipher  (§6.4.1)  of  Coppersmith  and  Rogaway  is  also  patented  [281]. 
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Ch.  15  Patents  and  Standards 


A draft  standard  in  development  under  the  IEEE  Microprocessor  Standards  Committee 
group  is  IEEE  PI 363:  Standard  for  RSA,  Diffie-Hellman  and  related  public-key  cryptog- 
raphy, which  includes  specifications  for  elliptic  curve  systems. 

Theoretical  justification  for  the  redundancy  scheme  used  in  ISO/IEC  9796  is  given  by  Guil- 
lou  et  al.  [525],  The  customary  5-year  review  of  this  standard  in  1996  resulted  in  a title 
change  and  the  creation  of  a second  part.  The  original  standard  (with  content  unchanged) 
will  be  re-titled  Digital  signature  schemes  giving  message  recovery  - Part  1:  Mechanisms 
using  redundancy . The  second  part,  a working  draft  (WD  ) as  of  April  1996  titled  Part  2: 
Mechanisms  using  a hash  function,  specifies  mechanisms  utilizing  the  idea  that  when  a sig- 
nature algorithm  such  as  RSA  is  used  with  a hash  function,  and  the  RSA  modulus  (say  1024 
bits)  is  much  larger  than  a hash  value  (say  160  bits),  the  remaining  bits  may  be  used  to  carry 
message  text  which  can  be  recovered  upon  signature  verification.  This  partial  message  re- 
covery mode  of  the  signature  algorithm  decreases  the  amount  of  accompanying  cleartext  re- 
quired, which  is  of  interest  in  bandwidth  or  memory-limited  applications,  and  those  wherein 
the  text  being  signed  is  relatively  small. 

The  Registration  Authority  designated  by  ISO/IEC  to  maintain  the  register  of  cryptographic 
algorithms  of  ISO/IEC  9979  is  the  National  Computer  Centre,  Oxford  Road,  Manchester, 
Ml  7ED,  United  Kingdom  (telephone +44-161-228-6333,  fax +44-161-228-1636).  Twelve 
algorithms  were  registered  as  of  October  1995:  BARAS,  B-Crypt,  CDMF,  DES,  FEAL, 
IDEA,  LUC,  MULTI2,  RC2,  RC4,  SXAL/MBAL,  and  SKIPJACK.  An  alternative  for  ob- 
taining unique  algorithm  identifiers  is  the  object  identifier  (OID)  and  registration  scheme  of 
the  Abstract  Syntax  Notation  One  (ASN.l)  standard  ISO/IEC  8824;  for  more  information, 
see  Ford  [414,  pp. 478-480]. 

For  a history  of  DES-related  standards  from  an  American  perspective,  including  ANSI  stan- 
dards, see  Smid  and  Branstad  [1156].  ANSIX9.24,  Annex  C contains  a convenient  six-page 
summary  of  ANSI  X9. 17.  A revision  ofX9.30-2: 1993  is  to  specify  FIPS  180-1  (SHA-l)in 
place  of  SHA.  An  ANSI  standard  in  development,  but  currently  “on  hold”  pending  resolu- 
tion of  patent  issues,  is  (draft)  X9.44  [48],  which  specifies  a key  transport  technique  based 
on  RSA.  An  enhanced  mode  of  triple-DES  encryption  included  in  the  draft  ANSI  X9.52 
[50]  is  cipher  block  chaining  with  output  feedback  masking.  The  draft  ANSI  X9.57  [52]  is 
intended  for  use  with  X9.30  and  (draft)  X9.31,  although  the  initial  version  addresses  X9.30 
(DSA)  certificates.  ITU-T  X.509  v3  certificates  and  certificate  extensions  to  which  ANSI 
X9.55  is  aligned  are  discussed  below.  Both  (draft)  X9.45  and  (draft)  X9.55  may  eventually 
be  incorporated  into  X9.57.  Related  to  attribute  certificates,  see  Fischer  [410]  regarding 
electronic  document  authorization  and  related  patents  [408,  409]. 

The  ISO  11568  retail  key  management  project  includes  six  parts  [588,  589,  590,  591,  592, 
593].  Among  these,  11568-3  specifies  the  key  life  cycle  for  symmetric  encryption  algo- 
rithms; 11568-4  addresses  key  management  techniques  for  public-key  cryptosystems,  in- 
cluding certificate  management  and  (in  Annex  C)  attribute  certificates;  and  11568-5  ad- 
dresses key  life  cycle  for  public-key  cryptosystems. 

ISO/IEC  9594-8  (X.509)  is  one  part  of  a series  of  specifications  outlining  directory  ser- 
vices for  Open  Systems  Interconnection  (OSI)  and  other  systems.  The  Directory  is  a logical 
database  of  information  with  directory  entries  arranged  in  a tree  structure,  the  Directory  In- 
formation Tree  (DIT),  as  introduced  in  ISO/IEC  9594-1  (ITU-T  Recommendation  X.500) 
[594],  which  also  provides  an  overview  of  directory  services.  For  extension  discussion, 
see  Chapter  14  of  Ford  [414].  The  1988  version  of  X.509  (equivalent  to  ISO/IEC  9594- 
8:1990)  was  updated  in  1993  [626]  (equivalent  to  ISO/IEC  9594-8:1995).  A 1995  tech- 
nical corrigendum  [627]  added  a certificate  extensions  field,  yielding  Version  3 (v3)  cer- 
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tificates.  Standard  extensions  for  v3  certificates  are  defined  in  a further  amendment  [628] 
(see  §13.9).  The  OSI  security  frameworks  project  is  specified  in  seven  parts  of  ISO  10181 
[609,610,611,612,613,614,615]. 

FIPS  140-1  [401]  supersedes  FIPS  140,  General  Security  Requirements  for  Equipment  Us- 
ing the  Data  Encryption  Standard  (formerly  Federal  Standard  1027,  April  1982).  Informa- 
tion on  FS  1027  is  provided  by  Davies  and  Price  [308].  In  May  1994,  NIST  announced  a 
weakness  in  SHA  [403],  resulting  from  unpublished  analysis  carried  out  by  the  U.S.  Na- 
tional Security  Agency;  the  formal  revision  was  published  as  FIPS  180-1  [404]. 

The  PKCS  standards,  developed  by  industrial  collaboration  lead  by  RSA  Laboratories  (a 
Division  of  RSA  Data  Security  Inc.),  are  widely  used  in  practice,  and  periodically  updated. 
PKCS  #1,3,5,6,7,8,9,10  [1072]  and  PKCS  #11  [1071]  are  currently  available  (e.g.,  from 

URL  http  : / / www  . rsa  . com/). 

For  an  overview  of  Internet  security  standards,  see  Kent  [667],  Linn’s  GSS-APK RFC  1508) 
[1040]  is  an  API  suitable  for  session-oriented  applications.  An  analogous  specification  for 
store-and-forward  applications  is  the  IDUP-GSS-API  (Independent  Data  Unit  Protection 
GSS-API)  interface.  Implementation  mechanisms  which  have  been  specified  to  plug  in  be- 
neath GSS-API  include  a symmetric-key  mechanism  based  on  Kerberos  ( the  Kerberos  Ver- 
sion 5 GSS-API  mechanism),  and  a public-key  based  mechanism  SPKM  (Simple  Public- 
Key  Mechanism).  For  an  overview  of  these  work-in-progress  items  under  development  in 
the  Common  Authentication  Technologies  (CAT)  group  of  the  IETF,  see  Adams  [4]. 

Work-in-progress  in  the  IP  Security  (IPSEC)  working  group  of  the  IETF  includes  two  items 
using  Diffie-Hellman  key  exchange  for  session  key  establishment  over  the  Internet  - the 
Photuris  protocol  of  Karn  and  Simpson,  and  the  SKIP  protocol  of  Aziz.  Krawczyk  [718] 
notes  these  and  presents  an  alternative  (SKEME). 

MIME,  specified  in  RFC  1521  [1042],  is  designed  to  facilitate  multipart  textual  and  non- 
textual mail,  i.e.,  mail  messages  whose  bodies  may  contain  multiple  objects  of  a variety  of 
content  types  including  non- ASCII  text,  multi-font  text,  and  audio  and  image  fragments. 
An  alternative  to  the  MOSS  proposal  of  RFC  1848  [1046]  is  S/MIME  [1191],  which  adds 
signature  and/or  encryption  services  to  MIME  messages,  using  PKCS  specifications. 

Many  other  standards,  both  formal  and  informal,  have  been  developed  or  are  undergoing  de- 
velopment. A collection  of  cryptographic  algorithms  and  protocols  recommended  for  use 
in  Europe  is  that  resulting  from  the  European  RACE  Integrity  Primitives  Evaluation  ( RIPE) 
project;  see  Bosselaers  and  Preneel  [178].  Pretty  Good  Privacy  (PGP)  is  a popular,  widely 
available  software  package  originally  developed  by  Zimmermann  [1272]  (see  Garfinkel 
[442]  for  additional  perspective),  currently  employing  RSA  signatures,  MD5  hashing,  and 
IDEA  encipherment. 

Examples  of  pseudorandom  number  generators  (PRNGs)  which  appear  in  U.S.  standards 
include  a DES-based  PRNG  in  ANSI  X9. 17  (Appendix  C),  and  two  further  methods  in  FIPS 
186  (Appendix  3)  based  on  both  the  Secure  Hash  Algorithm  (SHA)  and  DES. 
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Authority  revocation  list  (ARL),  577 

Authorization,  3 

Authorized  subset,  527 

Auto-key  cipher,  242 

Autocorrelation  function,  1 80 

Autocorrelation  test,  182 

Auxiliary-input  zero-knowledge,  423 
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Big-endian,  344 
Big-O  notation,  58 
Big-omega  notation,  59 
Big-theta  notation,  59 
Bijection,  7,  50 

Binary  additive  stream  cipher,  194 
keystream  generator,  194 
running  key  generator,  194 
Binary  alphabet,  1 1 
Binary  Euclidean  algorithm,  632 
Binary  extended  gcd  algorithm,  608-610,  632 
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attacks  on 

differential  cryptanalysis,  258 
differential-linear,  27 1 
exhaustive  key  search,  233-234,  273 
key  clustering  attack,  28 1 
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meet-in-the-middle  attack,  235 
related-key  attack,  226,  281 
time-memory  tradeoff,  236,  273 
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Luby-Rackoff,  282 
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ANSI  X3.106  standard,  649 
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Blom’s  key  pre-distribution  system,  506,  536 

Blowfish  block  cipher,  281 

Blum  integer,  74—75 
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Gauss’s  algorithm,  68 
Chipcard,  387,  424 

Chor-Rivest  public-key  encryption,  302-306,  318 
attacks  on,  318 
decryption  algorithm,  303 
encryption  algorithm,  303 
key  generation,  303 
recommended  parameter  sizes,  305 
security  of,  305 

Chosen-ciphertext  attack,  41,  226,  285 
adaptive,  285 
indifferent,  285 
Chosen-message  attack,  433 
directed,  482 
generic,  482 

Chosen-plaintext  attack,  41,  226 
Cipher,  12 

see  also  Encryption 

Cipher-block  chaining  mode  (CBC),  230 
integrity  of  IV  in,  230 
use  in  public-key  encryption,  285 
Cipher  feedback  mode  (CFB),  231 
as  a stream  cipher,  233 
ISO  variant  of,  231 
Cipher  machine,  242-245 
Jefferson  cylinder,  243 
rotor-based  machine,  243-245,  276 
Enigma,  245 
Hagelin  M-209,  245 
Hebern,  244 
Wheatstone  disc,  274 
Ciphertext,  11 

Ciphertext-only  attack,  41,  225 
Ciphertext  space,  11 
Claimant,  385,  386 
Classical  cipher,  237-250,  273-276 

cipher  machines,  see  Cipher  machine 
cryptanalysis,  245-250,  275-276 
index  of  coincidence,  248 


Kasiski’s  method,  248 
measure  of  roughness,  249 
polyalphabetic  substitution  cipher,  see  Polyal- 
phabetic  substitution  cipher 
substitution  cipher,  see  Substitution  cipher 
transposition  cipher,  see  Transposition  cipher 
Classical  modular  multiplication,  600 
Classical  occupancy  problem,  53 
Claw-resistant  (claw-free),  376,  468 
Clipper  chip,  584,  589 
key  escrow,  584 

law  enforcement  access  field  (LEAF),  584 
Clipper  key  escrow,  654 
Clock-controlled  generator,  209-212 
co-NP,  60 
Codebook,  240 
Codomain  of  a function,  6,  50 
Collision,  321 

pseudo-collision,  37 1 
Collision  resistance,  324,  325 
Collision  resistant  hash  function  (CRHF),  325 
Combining  function,  205 
Common  modulus  attack  on  RSA,  289 
Commutative  ring,  77 

Complementation  property  of  DES,  256-257 
Complete  function,  277 
Complexity  classes,  59-62 

BPP,  63 

co-NP,  60 
NP,  60 

NP-complete,  61 
NP-hard,  62 
NPC,  61 
P,  60 
RP,  63 
ZPP,  63 

Complexity  measure 
2-adic  span,  218 
linear  complexity,  198-201 
maximum  order  complexity,  217 
Turing-Kolmogorov-Chaitin  complexity,  217 
Ziv-Lempel  complexity,  217 
Complexity  of  attacks  on  a block  cipher,  225-227 
active  complexity,  226 
attack  complexity,  226 
data  complexity,  226 
passive  complexity,  226 
processing  complexity,  226 
storage  complexity,  226 
Complexity  theory,  57-63 
Complexity-theoretic  security,  43 
Compliant,  532 
Composite  integer,  64 
Composition  of  functions,  19 
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Computation-resistance  (MAC),  325 
Computational  problems 

computationally  equivalent,  88 
polytime  reduction,  88 
Computational  security,  43,  226 
Computational  zero-knowledge  protocol,  407 
Computationally  equivalent  decision  problems,  61 
COMSET,  421,  536 
Conditional  entropy,  56 
Conditional  probability,  5 1 
Conditional  transinformation,  57 
Conference  keying,  528-529,  540 

Blundo’s  conference  KDS  bound,  529 
Burmester-Desmedt,  528 
definition  of,  528 
Confidentiality,  3,  4,  12 
Confirmation,  3 
Confounder,  418 
Confusion,  20 
Congruences 
integers,  67 
polynomials,  79 

Conjugate  gradient  method,  129 
Connection  polynomial  of  an  LFSR,  196,  204 
known  versus  secret,  204 
sparse  versus  dense,  205 
Constrained  linear  equations  problem,  423 
Continued  fraction  factoring  algorithm,  126 
Continuous  random  variable,  176 
Control  vector,  569 
patent,  639,  658 
Conventional  encryption,  15 
Coprime,  64 

Correcting-block  chaining  attack,  373 
Correlated,  172 
Correlation  attack,  206,  218 
Correlation  immunity,  207,  218 
Counter  mode,  233 
CRC-based  MAC,  359 
Credential,  501 

CRHF,  see  Collision  resistant  hash  function 
Cross-certificate  (CA-certificate),  572 
Cross-certificate  pair,  573 
CRT,  see  Chinese  remainder  theorem 
Cryptanalysis,  15 
Cryptanalyst,  15 
Cryptographic  check  value,  363 
Cryptographic  primitives,  4 
taxonomy  of,  5 

Cryptographically  secure  pseudorandom  bit  gener- 
ator (CSPRBG),  185-187 
Blum-Blum-Shub  generator,  186-187 
Blum-Micali  generator,  189 
definition  of,  171 


Micali-Schnorr  generator,  186 
modified-Rabin  generator,  190 
RSA  generator,  185-186 
Cryptography 

definition  of,  4 
goals  of,  4 
CRYPTOKI,  656 
Cryptology,  15 
Cryptoperiod  of  a key,  553 
Cryptosystem,  15 
Cut-and-choose  protocol,  410,  421 
Cycle  of  a periodic  sequence,  180 
Cyclic  group,  69,  76 
generator  of,  76 

Cyclic  redundancy  code  (CRC),  363 

Cyclic  register,  220 

Cycling  attacks  on  RSA,  289,  313 

D 

Data  Authentication  Algorithm  (DAA),  654 
Data  Encryption  Standard,  see  DES  block  cipher 
Data  integrity,  3,  4,  33,  359-368,  383 
Data  key,  552 

Data  origin  authentication,  3,  4,  25,  359-368,  491 

Davies-Meyer  hash  function,  34 1 

de  Bruijn  FSR,  203 

de  Bruijn  sequence,  203 

De-skewing,  172 

DEA,  649 

Decimated  subsequence,  211 
Decision  problems,  60 

computationally  equivalent,  61 
polytime  reduction,  61 
Decryption,  11 

Decryption  exponent  for  RSA,  286 
Decryption  function,  1 1 
DECT,  586 

Degrees  of  freedom,  177 
Delay  element 
of  an  FSR,  202 
of  an  LFSR,  195 
Delayed-carry  adder,  630 
Density  of  a knapsack  set,  120 
Derivative  of  a polynomial,  123 
DES  block  cipher,  250-259,  276-278 
ANSI  X3.92  standard,  649 
attacks  on 

differential  cryptanalysis,  258-259 
exhaustive  key  search,  233-234,  272 
linear  cryptanalysis,  258-259 
complementation  property,  256-257 
decryption  algorithm,  255 
DESX,  273 

double  DES,  see  Double  DES 


©1997  by  CRC  Press,  Inc.  — See  accompanying  notice  at  front  of  chapter. 


Index 


761 


encryption  algorithm,  253 
expansion  permutation,  252 
FIPS  46  standard,  654 
initial  permutation  (IP),  252,  277 
key  schedule 

decryption,  256 
encryption,  255 

modes  of  operation,  see  Block  cipher,  modes 
of  operation 
patent,  636 

permuted  choices  (PCI,  PC2),  252 
properties  and  strengths,  256-259 
round,  252 
S-box,  252 
semi-weak  key,  257 

anti-fixed  point  of,  257 
test  vectors,  256 
triple-DES,  273 
weak  key,  257 

fixed  point  of,  257 
Designated  confirmer  signature,  487 
Deterministic,  306 
Deterministic  algorithm,  62 
Dickson  polynomial,  314 
Dickson  scheme,  314 
Dictionary  attack,  42 
Difference  of  sets,  49 
Differential  chaining  attack,  375 
Differential  cryptanalysis 

of  block  ciphers,  258,  271,  278-280 
Differential-linear  cryptanalysis,  271 
Diffie-Hellman  key  agreement,  5 15-520,  522-524 
ANSI  X9.42  standard,  651 
composite  modulus,  537 
patent,  637 

Diffie-Hellman  problem,  113-114 
composite  moduli,  114,  131 
generalized,  113 

Diffie-Lamport  one-time  signature  scheme,  485 
Diffusion,  20 
Digital  envelope,  550 
Digital  fingerprint,  321 
Digital  signature,  see  Signature 
Digital  Signature  Algorithm  (DSA),  452-454,  483 
ANSI  X9.30-1  standard,  651 
FIPS  186  standard,  655 
key  generation,  452 
patent,  640,  658 
security  of,  453 
signature  generation,  452 
signature  verification,  453 
use  and  throw  coupons,  483 
Dimension  of  a vector  space,  80 
Dirichlet  theorem,  135 


Disavowal  protocol,  477 

Discrete  Fourier  Transform  (DFT),  631 

Discrete  logarithms,  103-113 

baby-step  giant-step  algorithm,  104-106 
composite  moduli,  114 
exhaustive  search,  104 
for  class  groups,  130 
for  elliptic  curves,  130 
for  hyperelliptic  curves,  130 
function  field  sieve,  129 
generalized  problem,  103 
heuristic  running  time,  129 
in  subgroups  of  Z* , 113 
index-calculus  algorithms,  109-112 
lambda  method,  128 
number  field  sieve,  128 
Pohlig-Hellman  algorithm,  107-109 
Pollard’s  rho  algorithm,  106-107 
problem  definition,  103 
rigorously  analyzed  algorithms,  129 
security  of  individual  bits,  116 
Divisible  electronic  coin,  487 
Division 

of  integers,  63 
of  polynomials,  79 
Division  algorithm 
for  integers,  64 
for  polynomials,  78 
Dixon's  algorithm,  95,  127 
DNA  computer,  130 
Domain  of  a function,  6,  50 
Double  DES,  235 
Double  spending,  487 
Double-length  MDC,  339 
DSA,  see  Digital  Signature  Algorithm 
Dynamic  key  establishment,  491 
Dynamic  secret  sharing  scheme,  527 

E 

E-D-E  triple  encryption,  235,  272 
E-E-E  triple  encryption,  272 
Eavesdropper,  13,  495 

ECA,  see  Elliptic  curve  factoring  algorithm 

ECB,  see  Electronic  codebook  mode 
Effective  key  size,  224 
Electronic  cash 

divisible,  487 
untraceable,  487 

Electronic  codebook  mode  (ECB),  228-230 
ElGamal  key  agreement,  517 
ElGamal  public-key  encryption,  294—298 
generalized 

decryption  algorithm,  297 
encryption  algorithm,  297 
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key  generation,  297 

inZ; 

decryption  algorithm,  295 
encryption  algorithm,  295 
key  generation,  294 
recommended  parameter  sizes,  296 
security  of,  296 

ElGamal  signature  scheme,  454-459,  484 
generalized 

key  generation,  458 
signature  generation,  458 
signature  verification,  458 
inZ; 

key  generation.  454 
security  of,  455-456 
signature  generation,  454 
signature  verification,  454 
signature  verification,  618 
variants  of,  457 
Elliptic  curve 

discrete  logarithm  problem,  130 
ElGamal  public-key  encryption,  297 
in  public-key  cryptography,  316 
patents,  659 
RSA  analogue,  315 
supersingular  curve,  130,  316 
Elliptic  curve  factoring  algorithm  (ECA),  94,  125 
implementation  reports,  126 
Elliptic  curve  primality  proving  algorithm,  145 
Encrypted  key  exchange  (EKE),  538 
Encryption,  11 

see  also  Block  cipher 
see  also  Public-key  encryption 
see  also  Stream  cipher 
Encryption  exponent  for  RSA,  286 
Encryption  function,  11 
Encryption  scheme,  12 
breakable,  14 
Enemy,  13,  495 
Enigma,  245,  276 
Entity,  13 

Entity  authentication,  3,  386,  491 
ANSI  X9.26  standard,  651 
FIPS  196  standard,  655 
ISO  11131  standard,  652 
ISO/IEC  9798  standard,  401-402, 404-405, 421, 
647 

see  also  Identification 
Entropy,  56-57,  246 
Ephemeral  secret,  494 
Equivalence  class,  68,  79 
Equivocation,  56 

Error-correcting  code,  298,  363,  506 
Escrowed  Encryption  Standard  (EES) 


FIPS  185,  654 

ESIGN  signature  scheme,  473-474,  486 
key  generation,  473 
patent,  638,  658 
security  of,  474 
signature  generation,  473 
signature  verification,  473 
Euclidean  algorithm 
for  integers,  66 
for  polynomials,  81-83 
Euler  liar,  138 
Euler  phi  function  (</>),  65 
Euler  pseudoprime,  138 
Euler  witness,  137 
Euler's  criterion,  137 
Euler's  theorem,  69 
Exclusive-or  (XOR),  20 
Exhaustive  key  search,  14,  233-234,  272 
Existential  forgery,  30,  326,  432 
exp  (exponential  function),  50 
Expected  running  time,  63 
Explicit  authentication,  492 
Exponent  array,  617 
Exponent  recoding,  see  Exponentiation 
Exponential-time  algorithm,  59 
Exponentiation,  613-629,  633-634 
addition  chains,  621 
exponent  recoding,  627-629 

signed-digit  representation,  627-628 
string-replacement  representation,  628- 
629 

fixed-base  comb  method,  625-627 
fixed-base  Euclidean  method,  624—625 
fixed-base  windowing  method,  623-624 
left-to-right  binary  method,  615 
left-to-right  fc-ary  method,  615 
modified  left-to-right  fc-ary  method,  616 
Montgomery  method,  619-620 
repeated  square-and-multiply  algorithm,  71, 
84 

right-to-left  binary  method,  614 
simultaneous  multiple,  617-618 
sliding- window  method,  616 
vector-addition  chains,  622-623 
Extendable  secret  sharing  scheme,  526 
Extended  Euclidean  algorithm 
for  integers,  67 
for  polynomials,  82 

Extended  Riemann  Hypothesis  (ERH),  165 
Extension  field,  77 
Extractor,  406 

F 

Factor  base,  94,  109 
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Factoring  integers,  see  Integer  factorization 
Factoring  polynomials,  see  Polynomial  factoriza- 
tion 

Fail-stop  signature  scheme,  478-481,  488 
Heijst-Pedersen,  478^-81 
Fair  blind  signature  scheme,  487 
Fair  cryptosystems,  640-641,  658 

for  Diffie-Hellman  key  agreement,  641 
patent,  640 

FEAL  block  cipher,  259-262,  278-279 
attacks  on,  278-279 
FEAL  decryption  algorithm,  261 
FEAL-8  encryption  algorithm,  261 
FEAL-8  key  schedule,  261 
FEAL-N,  262 
FEAL-NX,  262 
patent,  639 
test  vectors,  262 

Feedback  shift  register  (FSR),  195-203 
de  Bruijn,  203 
definition  of,  202 
delay  element  of,  202 
feedback  bit  of,  202 
feedback  function  of,  202 
Feedback  with  carry  shift  register  (FCSR),  217- 
218,  222 

initial  state  of,  202 

linear  feedback  shift  register,  see  Linear  feed- 
back shift  register  (LFSR) 
non-singular,  203 

nonlinear  feedback  shift  register,  202 
output  sequence  of,  202 
stage  of,  202 

Feedback  with  carry  shift  register  (FCSR),  217-2 18, 
222 

Feige-Fiat-Shamir  identification  protocol,  410^-12, 
422 

Feige-Fiat-Shamir  signature  scheme,  447-A49, 483 
identity-based  modification,  449 
key  generation,  447 
security  of,  448 
signature  generation,  448 
signature  verification,  448 
Feistel  cipher,  251,  276 
Fermat  liar,  136 
Fermat  number,  143,  166 
Fermat  witness,  136 
Fermat's  primality  test,  136 
Fermat's  theorem,  69 
Fiat-Shamir  identification  protocol 
basic  version,  408 
patent,  638,  658 

Fiat-Shamir  signature  scheme,  483 
patent,  638,  658 


Field,  77 

characteristic  of,  77 
definition  of,  77 
extension  field  of,  77 
finite,  see  Finite  field 
subfield  of,  77 
Filtering  function,  208 
Finite  field,  80-85 
definition  of,  80 
order  of,  80 
polynomial  basis,  83 
FIPS,  654-655,661 

ordering  and  acquiring,  656 
FIPS  186  pseudorandom  bit  generator,  174-175 
FISH  stream  cipher,  222 
Fixed-point  chaining  attack.  374 
Floyd’s  cycle-finding  algorithm,  91,  125 
Forced  delay  attack,  417 
Formal  methods,  534,  541 
Forward  certificate,  575 
Forward  error  correction,  363 
Forward  search  attack,  34,  42,  288,  420 
Fractionation,  276 
Frequency  distribution 

of  English  digrams,  247 
of  single  English  characters,  247 
Frequency  test,  181 
Fresh  key,  494 
Function,  6-10,  50 
bijection,  7 
composition  of,  19 
definition  of,  6 
injective,  46 
inverse,  7 
involution,  10 
one-to-one,  7 
one-way,  8 
onto,  7 

permutation,  10 
surjective,  46 
trapdoor  one-way,  9 
Function  field  sieve,  129 
Functional  diagram,  6 
Functional  graph,  54 
component  size,  55 
cycle  length,  55 
predecessors  size,  55 
rho-length,  55 
tail  length,  55 
tree  size,  55 

Functionally  trusted  third  party,  39 

G 

Gap  of  a sequence,  180 
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Garner’s  algorithm,  612-613 

Gauss’s  algorithm,  68 

Gaussian  integer  method,  128 

gcd,  see  Greatest  common  divisor 

Geffe  generator,  206 

General-purpose  factoring  algorithm,  90 

Generator 

of  a cyclic  group,  76,  160 
algorithm  for  finding,  163 
ofF*,  81 
of  F2™ , 163 
ofz;,69 
ofz;,  164 

algorithm  for  selecting,  164 
Generator  matrix,  506 
Girault  self-certified  public  key,  522 
GMR  one-time  signature  scheme,  468-471,  486 
authentication  tree,  470 
key  generation,  469 
security  of,  470 
signature  generation,  469 
signature  verification,  469 
GOAL  stream  cipher,  219 
Goldwasser-Kilian  primality  test,  166 
Goldwasser-Micali  probabilistic  public-key  encryp- 
tion, 307-308 
decryption  algorithm,  307 
encryption  algorithm,  307 
key  generation,  307 
security  of,  308 

Golomb’s  randomness  postulates,  180 
Goppa  code,  299,  317 

Gordon’s  algorithm  for  strong  prime  generation,  150 
GOST  block  cipher,  282 
GQ  identification  protocol,  412-414,  422 
patent,  639,  658 
GQ  signature  scheme,  450-45 1 
key  generation,  450 
message  recovery  variant,  451 
patent,  639,  658 
security  of,  45 1 
signature  generation,  450 
signature  verification,  450 
Grandmaster  postal-chess  problem,  418 
Greatest  common  divisor 

binary  extended  gcd  algorithm,  608-610,  632 
binary  gcd  algorithm,  606-607,  632 
Euclidean  algorithm,  66 
Lehmer’s  gcd  algorithm,  607-608,  632 
of  integers,  64 
of  polynomials,  8 1 
Group,  75-76 
cyclic,  76 
definition  of,  75 


of  units,  77 
order  of,  75 
subgroup  of,  76 
Group  signature,  488 
GSM,  586 
GSS-API,  655,  661 

Gunther’s  implicitly-certified  public  key,  521 
Gunther’s  key  agreement,  522 

H 

Hagelin  M-209,  245,  276 
Hamming  weight,  105 
Handwritten  signature,  23 
Hard  predicate,  115 
Hash  function,  33,  321-383 

alternate  terminology,  325,  37 1 
applications,  321-322,  330-331 
attacks,  368-375 
birthday,  369-371 
chaining,  373-375 
Pseudo-collisions,  371-373 
based  on  block  ciphers,  338-343 
Abreast  Davies-Meyer,  380 
Davies-Meyer,  341 
Matyas-Meyer-Oseas,  341 
MDC-2,  342 
MDC-4,  343 

Merkle’s  DES-based  hash,  338,  339,  378 
Miyaguchi-Preneel,  341 
N-Hash,  380 

Tandem  Davies-Meyer,  380 
based  on  modular  arithmetic,  35 1-352 
MASH-1,  352 
MASH-2,  352 
cascading,  334 

collision  resistant  (CRHF),  325 
customized,  343-351 
HAVAL,  379 
MD2,  380 
MD4,  346 
MD5,  347 
RIPEMD,  380 
RIPEMD-128,  339,  380 
RIPEMD- 160,  339,  350 
Secure  Hash  Algorithm  (SHA-1),  348 
Snefru,  380 
definition  of,  322 
ideal  security,  336 
initialization  value  (IV),  335 
MD-strengthening,  see  MD-strengthening 
Merkle’s  meta-method,  333 
one-way  (OWHF),  325 
padding,  334-335 
properties  of 
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2nd-preimage  resistance,  323 
collision  resistance,  324 
compression,  322 
ease  of  computation,  322 
local  one-wayness,  331 
near-collision  resistance,  331 
non-correlation,  331 
partial-preimage  resistance,  331 
preimage  resistance,  323 
strong  collision  resistance,  324 
weak  collision  resistance,  324 
r-collision  resistant,  424 
strong  one-way,  325 
universal  classes  of,  376 
universal  one-way,  377 
weak  one-way,  325 
Hash-code,  321 
Hash-result,  321 
Hash-value,  33,  321 
HAVAL  hash  function,  379 

Heijst-Pedersen  fail-stop  signature  scheme,  478-481 
key  generation,  478 
proof-of-forgery  algorithm,  481 
signature  generation,  479 
signature  verification,  479 
Hellman-Merkle  patent,  637,  658 
Heuristic  security,  43,  533 
High-order  digit,  593 
Hill  cipher,  240,  274 
Historical  work  factor,  44 
HMAC,  355 

Homomorphic  property  of  RSA,  289 
Homophonic  substitution  cipher,  17,  240 
Hybrid  protocol,  512 
Hyperelliptic  curve 

discrete  logarithm  problem,  130 
ElGamal  public-key  encryption,  297 
Hypothesis  testing,  179-180 

I 

IC  card,  387 

IDEA  block  cipher,  263-265,  279-280 
attacks  on,  279-280 
decryption  algorithm,  264 
encryption  algorithm,  264 
key  schedule,  264 
patent,  640,  658 
test  vectors,  265 
weak  keys,  279 

Ideal  secret  sharing  scheme,  526,  527 
Identification,  3,  24-25,  385-424 
applications  of,  387 
attacks  on,  417-420,  424 
chosen-text,  417 


forced  delay,  417 
impersonation,  417 
interleaving,  417 
local,  419 

non-interactive,  419 
off-line,  419 
pre-play,  397,  398 
reflection,  417 
remote,  419 
replay,  417 

challenge-response,  see  Challenge-response 
identification 
mutual,  387 

passwords,  see  Passwords  (weak 
authentication) 
questionnaire-based,  420 
relation  to  signatures,  388 
unilateral,  387 

zero-knowledge,  see  Zero-knowledge  identifi- 
cation 

see  also  Entity  authentication 
Identification  Friend  or  Foe  (IFF)  system,  421 
Identity  verification,  385 
Identity-based  key  establishment,  493 
Identity-based  system,  538,  561-562,  587 
IDUP,  661 

IEEE  PI 363  standard,  660 
IETF,  655 

Image  of  a function,  6,  50 
Impersonation,  27,  42,  386,  417 
Impersonator,  495 

Implicit  key  authentication,  see  Key  authentication 
Implicitly-certified  public  key,  520-522, 562-563, 
588 

Diffie-Hellman  using,  522-524 
identity-based,  563 
of  Girault,  522 
of  Gunther,  521 
self-certified,  563 
Imprint,  321 

Improved  PES  (IPES),  279 
In-line  trusted  third  party,  547 
Incremental  hashing,  378 
Independent  events,  51 
Index  of  coincidence,  248,  275 
Index-calculus  algorithm,  109-112,  128 
Gaussian  integer  method,  128 
in  W2m  ,111 

implementation  reports,  128 
in  Zp,  110 

implementation  reports,  128 
linear  sieve,  128 
residue  list  sieve,  128 

Information  dispersal  algorithm  (IDA),  539 
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Information  rate,  527 
Information  security,  2 
objectives  of,  3 

Information  security  service,  14 
breaking  of,  15 
Information  theory,  56-57 
Initial  state 

ofanFSR,  202 
of  an  LFSR,  196 
Injective  function,  46,  50 
Inner  product,  118 
Input  size,  58 
Insider,  496 

one-time,  496 
permanent,  496 
Integer,  49 

multiple-precision,  593 
negative 

signed-magnitude  representation,  593 
two’s  complement  representation,  594 
single-precision,  593 

Integer  arithmetic,  see  Multiple-precision  integer 
arithmetic 

Integer  factorization,  89-98 

continued  fraction  algorithm,  126 
Dixon's  algorithm,  95,  127 
elliptic  curve  algorithm,  94 
general  number  field  sieve,  98 
general-purpose  algorithms,  90 
heuristic  running  times,  127 
multiple  polynomial  quadratic  sieve,  97 
Pollard’s  p — 1 algorithm,  92-93 
Pollard’s  rho  algorithm,  91-92 
problem  definition,  89 
quadratic  sieve  algorithm,  95-97 
random  square  methods,  94-98 
special  number  field  sieve,  98 
special-purpose  algorithms,  90 
trial  division,  90-91 
Integers  modulo  n,  67-71 
Integrity  check  value  (ICV),  363 
Interactive  proof  system,  406 
Arthur-Merlin  games,  421 
completeness,  406 
soundness,  406 

Interleaving  attack.  42,  417,  531,  540 
Interloper,  13 
Internal  vertex,  557 

Internet  security  standards,  655-656,  661 
Intersection  of  sets,  49 
Intruder,  13,  495 

Intruder-in-the-middle  attack,  530,  540 
Inverse  function,  7 

Inversion  attack  on  stream  ciphers,  219 


Involution,  10 

Irreducible  polynomial,  78,  154-160 
algorithm  for  generating,  156 
algorithm  for  testing,  155 
number  of,  155 

primitive  polynomial,  see  Primitive 
polynomial 
trinomials,  157 

ISO  standards,  see  ISO/IEC  standards 
ISO/IEC  9796,  442-444,  482-483 
ISO/IEC  standards,  645-648,  651-653,  660-661 
committee  draft  (CD),  645 
draft  international  standard  (DIS),  645 
ordering  and  acquiring,  656 
working  draft  (WD),  645 
Isomorphic,  81,  104 
Iterated  block  cipher,  25 1 
ITU,  653 

J 

Jacobi  sum  primality  test,  144,  166 
Jacobi  symbol,  73 
computing,  73 
Jefferson  cylinder,  243,  274 
Joint  entropy,  56 
JTC1,  645 

K 

Karatsuba-Ofman  multiplication,  630 
Kasiski's  method,  248,  275 
KDC,  see  Key  distribution  center  (KDC) 
Kerberos  authentication  protocol,  401,  501-502, 
535-536 
RFC  1510,  656 
Kerckhoffs’  assumption,  225 
Kerckhoffs’  desiderata,  14 
Key,  1 1 

archival,  580 
backup,  580 
cryptoperiod  of,  553 
data,  552 

de-registration,  580 
derived,  568 
destruction,  580 
fresh,  494 
generator,  549 
installation,  579 
key-encrypting,  552 
key-transport,  552 
layering,  551-553 
long-term,  553 
master,  55 1 
notarization,  568 
offsetting,  568 
private,  27,  544 
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public,  27,  544 

public-key  vs.  symmetric-key,  31-32,  551 
recovery,  580 
registration,  579 
revocation,  566,  580 
secret,  544 
separation,  567 
short-term,  553 
symmetric,  544 
terminal,  552 
update,  580 
variant,  568 
Key  access  server,  549 

Key  agreement,  34,  35,  505-506,  515-524,  536- 
538 

Blom’s  key  pre-distribution  system,  506 
definition  of,  490 
Diffie-Hellman,  516 
ElGamal,  517 

encrypted  key  exchange  (EKE),  538 
Gunther,  522 
MTI/ A0,  517-519 
relation  to  key  transport,  49 1 
Station-to-station  (STS),  519 
Key  authentication,  492 
Key  clustering  attack  on  block  ciphers,  281 
Key  confirmation,  492 
Key  control,  494 
Key  derivation,  490,  498 
Key  distribution 

confidential  keys,  55 1-555 
key  layering,  551-553 
key  translation  center,  553-554 
symmetric -key  certificates,  554-555 
public  keys,  555-566 

authentication  trees,  556-559 
certificates,  559-561 
identity-based,  561-562 
implicitly-certified,  562-563 
Key  distribution  center  (KDC),  491,  500,  547 
Key  distribution  pattern,  536 
Key  distribution  problem,  16,  546 
Key  distribution  system  (KDS),  505 
Blom’s  KDS  bound,  505 
security  against  coalitions,  505 
Key  escrow,  584-586 
agent,  550,  584 
Clipper,  584 

Key  establishment,  489-541 

analysis  of,  530-534,  540-541 
attacks  on 

interleaving,  531 
intruder-in-the-middle,  530 
misplaced  trust  in  server,  531 


reflection,  530 
authenticated,  492,  493 
compliant,  532 
definition  of,  35,  490 
identity-based,  493 
key  agreement,  see  Key  agreement 
key  transport,  see  Key  transport 
message-independent,  493 
operational,  532 
resilient,  532 

simplified  classification,  49 1 
Key  life  cycle,  577-581 
key  states,  580 

Key  management,  36-38,  543-590 
ANSI  X9. 17  standard,  650 
ANSI  X9.24  standard,  650 
ANSI  X9.28  standard,  651 
ANSI  X9.42  standard,  651 
centralized,  546 
controlling  key  usage,  567-570 
definition  of,  35,  544 
ISO  8732  standard,  652 
ISO  10202-7  standard,  652 
ISO  11166  standard,  652 
ISO  11568  standard,  653 
ISO/IEC  11770  standard,  647 
key  agreement,  see  Key  agreement 
key  distribution,  see  Key  distribution 
key  establishment,  see  Key  establishment 
key  life  cycle,  577-581 
key  transport,  see  Key  transport 
Key  management  facility,  549 
Key  notarization,  568 
patent,  642,  658 
Key  pair,  12 

Key  pre-distribution  scheme,  540 
definition  of,  490 
Key  server,  549 
Key  space,  11,  21,  224 
Key  tag,  568 

Key  translation  center  (KTC),  491,  500,  547,  553 
Key  transport,  35,  497-504,  506-515,  535-536 
AKEP  1,499 
AKEP2,  499 

Beller-Yacobi  (2-pass),  514 
Beller-Yacobi  (4-pass),  513 
COMSET,  536 
definition  of,  490 
Kerberos,  501-502 
Needham-Schroeder  public-key,  508 
Needham-Schroeder  shared-key,  503 
Otway-Rees  protocol,  504 
relation  to  key  agreement,  491 
Shamir’s  no-key  protocol,  500 
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X.509  three-way,  512 
X.509  two-way,  511 
Key  update,  490 

Keyed  hash  function,  see  Message  authentication 
code  (MAC) 

Keying  material,  544 
Keying  relationship,  544 
Keystream,  20,  193,  194 
Key  stream  generator,  21,  194 
Khafre  block  cipher,  27 1 
attacks  on,  281 
patent,  644 

Khufu  block  cipher,  27 1 
attacks  on,  281 
patent,  644 

Knapsack  generator,  209,  220 
Knapsack  problem,  131 
Knapsack  public-key  encryption,  300-306 
Chor-Rivest,  302-306 
Merkle  Heilman,  300-302 
Knapsack  set,  117 
density  of,  120 

Known-key  attack,  42,  496,  534 
Known-key  triangle  attack,  538 
Known-message  attack,  432 
Known-plaintext  attack,  41,  225 
KryptoKnight,  535,  541 
KTC,  see  Key  translation  center  (KTC) 

L 

L3-lattice  basis  reduction  algorithm,  118-120,  131 

Lagrange’s  theorem,  76 

Lambda  method  for  discrete  logarithms,  128 

Lamport's  one-time-password  scheme,  396 

Lanczos  method,  129 

Lattice,  118 

dimension  of,  118 
reduced  basis,  1 1 8 

Lattice  basis  reduction  algorithm,  118-120, 131,317 
Law  of  large  numbers,  52 
Law  of  quadratic  reciprocity,  72 
lcm,  see  Least  common  multiple 
Leading  coefficient,  78 
LEAF,  584-585 
Leaf  of  a binary  tree,  557 
Least  common  multiple,  64 
Least  significant  digit,  593 
Legendre  symbol,  72 
computing,  73 

Lehmer’s  gcd  algorithm,  607-608,  632 
Length  of  a vector,  118 
Liar,  135 
Euler,  138 
Fermat,  136 


strong,  139 

Life  cycle,  see  Key  life  cycle 
Linear  code,  506 
Linear  combination,  80 
Linear  complexity,  198-201 

algorithm  for  computing,  see  Berlekamp- 
Massey  algorithm 
of  a finite  sequence,  198 
of  a random  periodic  sequence,  199 
of  a random  sequence,  198 
of  an  infinite  sequence,  198 
profile,  199 

Linear  complexity  profile,  199-200 
algorithm  for  computing,  201 
limitations  of,  200 
of  a random  sequence,  199 
Linear  congruential  generator,  170,  187 
multivariate  congruential  generator,  187 
truncated,  187 

Linear  consistency  attack,  219-220 
Linear  cryptanalysis 

of  block  ciphers,  258,  271,  278,  280 
of  stream  ciphers,  219 

Linear  feedback  shift  register  (LFSR),  195-201 
connection  polynomial  of,  196 
definition  of.  195 
delay  element  of,  195 
feedback  bit  of,  196 
initial  state  of,  196 
maximum-length,  197 
non-singular,  196 
output  sequence  of,  195 
stage  of,  195 
Linear  sieve,  128 
Linear  syndrome  attack,  218 
Linear  system  (solving  large),  129 
Linearly  dependent,  80 
Linearly  independent,  80 
LION  block  cipher,  282 
Little-endian,  344 
Little-o  notation,  59 
Lock-in,  22 1 
Logarithm,  49 
LOKI  block  cipher,  28 1 
LOKI’89,  281 
LOKI’ 9 1,270,  281 
Long-term  key,  553 
Low-order  digit,  593 
Luby-Rackoff  block  cipher,  282 
LUC  cryptosystem,  314 
LUCDIF,  316 
LUCELG,  316 

Lucas-Lehmer  primality  test,  142 
Lucifer  block  cipher,  276 
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patent,  641,  659 

M 

m-sequence,  197 

MAC,  see  Message  authentication  code  (MAC) 
Manipulation  detection  code,  see  Modification  de- 
tection code 
Mapping,  6,  50 
Markov  cipher,  280 
MASH-1  hash  function,  352 

ISO/IEC  10118-4  standard,  647 
MASH-2  hash  function,  352 

ISO/IEC  10118-4  standard,  647 
Master  key,  551 

Matyas-Meyer-Oseas  hash  function,  341 
ISO/IEC  10118-2  standard,  647 
Maurer’s  algorithm  for  provable  prime  generation, 
153,  167 

Maurer's  universal  statistical  test,  183-185,  189 
Maximum  order  complexity,  217 
Maximum-length  LFSR,  197 
Maximum-rank-distance  (MRD)  code,  317 
McEliece  public-key  encryption,  298-299,  317 
decryption  algorithm,  299 
encryption  algorithm,  299 
key  generation,  298 
recommended  parameter  sizes,  299 
security  of,  299 

MD-strengthening,  334,  335,  337 
MD2  hash  function,  380 
RFC  1319,  655 
MD4  hash  function,  346 
RFC  1320,  655 
MD5  hash  function,  347 
RFC  1321,  655 
MD5-MAC,  358 

MDC,  see  Modification  detection  code 
MDC-2  hash  function,  342 

ISO/IEC  10118-2  standard,  647 
patent,  639 

MDC-4  hash  function,  343 
patent,  639 
MDS  code,  281,506 
Mean,  5 1 

Measure  of  roughness,  249 
Mechanism,  34 
Meet-in-the-middle  attack 
on  double  DES,  235 
on  double  encryption,  235 
time-memory  tradeoff,  236 
on  multiple  encryption 

time-memory  tradeoff,  236 
Meet-in-the-middle  chaining  attack,  374 
Merkle  channel,  48 


Merkle  one-time  signature  scheme,  464-466,  485 
authentication  tree,  466 
key  generation,  464 
patent,  643 
security  of,  465 
signature  generation,  465 
signature  verification,  465 
Merkle  puzzle  scheme,  47,  537 
Merkle's  DES-based  hash  function,  338,  339,  378 
Merkle's  meta-method  for  hashing,  333 
Merkle-Hellman  knapsack  encryption,  300-302, 
317-318 

basic 

decryption  algorithm,  301 
encryption  algorithm,  301 
key  generation,  300 
multiple-iterated 

key  generation,  302 
patent,  637 
security  of,  302 
Mersenne  number,  142 
Mersenne  prime,  142,  143,  160 
Message  authentication,  see  Data  origin  authenti- 
cation 

Message  authentication  code  (MAC),  33,  323, 
352-359,381-383 
applications  of,  323,  330 
based  on  block  ciphers,  353-354 
CBC-MAC,  see  CBC-MAC 
CFB-64  MAC,  650 
RIPE-MAC,  see  RIPE-MAC 
birthday  attack  on,  352 
customized,  356-358 
bucket  hashing,  382 
MD5-MAC,  358 

Message  Authenticator  Algorithm 
(MAA),  356 
definition,  325 
for  stream  ciphers,  358-359 
CRC-based,  359 

Lai-Rueppel-Woollven  scheme,  383 
Taylor’s  scheme,  383 
from  MDCs,  354-355 

envelope  method  with  padding,  355 
hash-based  MAC,  355 
HMAC,  355 

secret  prefix  method,  355 
secret  suffix  method,  355 
XOR  MAC,  382 
ISO  8730  standard,  652 
ISO  9807  standard,  652 
properties  of 

compression,  325 
computation-resistance,  325 
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ease  of  computation,  325 
key  non-recovery,  325 
retail  MAC,  650 
types  of  attack 

adaptive  chosen-text,  326 
chosen-text,  326 
known-text,  326 
types  of  forgery 
existential,  326 
selective,  326 
see  also  CBC-MAC 
Message  authentication  tag  system,  376 
Message  Authenticator  Algorithm  (MAA),  356 
ISO  8731-2  standard,  652 
Message  concealing  in  RSA,  290,  313 
Message  digest,  321 
Message  integrity  code  (MIC),  323 
Message  space,  11 

Message-independent  key  establishment,  493 

Micali-Schnorr  pseudorandom  bit  generator,  186 

Miller-Rabin  primality  test,  139,  165 

MIME,  656,  661 

Minimum  disclosure  proof,  421 

Minimum  polynomial,  156 

Mips  year,  126 

MISSI,  590 

Mixed-radix  representation,  611,  630 
Mixing  algebraic  systems,  279 
Miyaguchi-Preneel  hash  function,  34 1 
Mobius  function,  154 
mod  notation,  64 
Modes  of  operation 

multiple  modes,  see  Multiple  encryption,  modes 
of  operation 

single  modes,  see  Block  cipher,  modes  of  op- 
eration 

Modification  detection  code  (MDC),  33,  323,  324 
Modified-Rabin  pseudorandom  bit  generator,  190 
Modified-Rabin  signature  scheme,  439-442,  482 
key  generation,  440 
security  of,  44 1 
signature  generation,  440 
signature  verification,  440 
Modular  arithmetic,  see  Multiple-precision  modu- 
lar arithmetic 

Modular  exponentiation,  see  Exponentiation 
Modular  reduction,  599 
Barrett,  603-605,  63 1 
Montgomery,  600-602,  63 1 
special  moduli,  605-606 

Modular  representation,  see  Mixed-radix  represen- 
tation 

Modulus,  67 
Monic  polynomial,  78 


Mono-alphabetic  substitution  cipher,  see  Substitu- 
tion cipher 
Monobit  test,  181 
Monotone  access  structure,  527 
Montgomery  exponentiation,  619-620 
Montgomery  multiplication,  602-603 
Montgomery  reduction,  600-602,  631 
MOSS,  656 

RFC  1848,  656 
Most  significant  digit,  593 
MTI  protocols,  518,  537 
MTI/A0  key  agreement,  517-519,  537 
Goss  variant,  537 
patent,  644,  659 

Multi-secret  threshold  scheme,  527 
Multiple  encryption,  234—237 
definition  of,  234 
double  encryption,  234 
modes  of  operation,  237 

triple-inner-CBC  mode,  237 
triple-outer-CBC  mode,  237 
triple  encryption,  235 
E-D-E,  235 

two-key  triple-encryption,  235 
Multiple  polynomial  quadratic  sieve,  97 
Multiple-precision  integer,  593 
Multiple-precision  integer  arithmetic,  592-599 
addition,  594-595 
division,  598-599 
normalization,  599 
gcd,  see  Greatest  common  divisor 
multiplication,  595-596 

discrete  Fourier  transform  (DFT),  631 
Karatsuba-Ofman,  630 
squaring,  596-597 
subtraction,  594-595 

Multiple-precision  modular  arithmetic,  599-606 
addition,  600 

exponentiation,  see  Exponentiation 
inversion,  610 
multiplication 
classical,  600 

Montgomery  multiplication,  602-603 
reduction,  599 

Barrett,  603-605,  63 1 
Montgomery,  600-602,  631 
special  moduli,  605-606 
subtraction,  600 
Multiplexer  generator,  220 
Multiplicative  group 
of  Zn,  69 
of  a finite  field,  8 1 
Multiplicative  inverse,  68 
computing,  71,  84,  610 
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Multiplicative  property  in  RSA,  288,  435,  482 
Multiplicity  of  a factor,  122 
Multispeed  inner-product  generator,  220 
Multivariate  polynomial  congruential  generator, 

187 

Mutual  authentication,  387,  402,  405,  494 
Mutual  information,  57 
Mutually  exclusive  events,  51 

N 

N-Hash  function,  380 
Name  server,  549 

Needham-Schroeder  public-key,  508,  536 
Needham-Schroeder  shared-key,  401,  503,  535 
Next-bit  test,  171 
Next-discrepancy,  200 
Nibble,  443 
NIST,  654 
Noise  diode,  40 
Non-interactive  protocol,  493 
Non-interactive  ZK  proof,  424 
Non-malleable  encryption,  311,  319 
Non-repudiation,  3,  4,  582-584 
ISO/IEC  13888  standard,  648 
Non-singular 
FSR,  203 
LFSR,  196 
Nonce,  397,  497 

Nonlinear  combination  generator,  205-208 
combining  function  of,  205 
Nonlinear  feedback  shift  register,  see  Feedback  shift 
register  (FSR) 

Nonlinear  filter  generator,  208-209 
filtering  function,  208 
Nonlinear  order,  205 
Normal  basis,  168 

exponentiation,  642 
multiplication,  642 
patents,  642-643,  659 
Normal  distribution,  176-177 
mean  of,  176 
standard,  176 
variance  of,  176 
Normal  polynomial,  168 
Normalization,  599 
Notarized  key,  569 
Notary 

agent,  550 
seal,  569 
service,  582 
NP,  60 

NP-complete,  61 
NP-hard,  62 
NPC,  61 


Number  field  sieve 

for  discrete  logarithms,  128 
for  integer  factorization,  98,  126 
implementation  reports,  126,  127 
general  number  field  sieve,  98 
special  number  field  sieve,  98,  126 
Number  theory,  63-75 

Nyberg-Rueppel  signature  scheme,  460-462,  485 
security  of,  461 
signature  generation,  461 
signature  verification,  461 

o 

Object  identifier  (OID),  660 
OFB,  see  Output  feedback  mode 
Off-line  trusted  third  party,  548 
Ohta-Okamoto  identification  protocol,  422 
On-line  certificate,  576 
On-line  trusted  third  party,  547 
On-line/off-line  signature,  486 
patent,  644 

One-key  encryption,  15 
One-sided  statistical  test,  179 
One-time  insider,  496 
One-time  pad,  21,  192-193,  274 
patent,  657 

One-time  password  scheme,  395-397 
One-time  signature  scheme,  462-471 
Diffie-Famport,  485 
GMR,  468-471 
Merkle,  464-466 
Rabin,  462^164 
validation  parameters,  462 
One-to-one  function,  7-8,  50 
One-way  cipher,  377 
One-way  function,  8-9,  327 
DES-based,  190,  328 
exponentiation  modulo  a prime,  115,  329 
multiplication  of  large  primes,  329 
Rabin  function,  115 
RSA  function,  115 

One-way  hash  function  (OWHF),  325 
One-way  permutation,  115,  328 
Onto  function,  7,  50 

Open  Systems  Interconnection  (OSI),  653,  660 
Operational,  532 
Opponent,  13,  495 
see  also  Attacker 
Optimal  normal  basis,  168,  659 
Oracle,  88 
Order 

generating  element  of  maximum  order  in  Zj^, 
163 

ofZ*,  69 
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of  a finite  field,  80 

of  a group,  75 

of  a group  element,  76,  160 

algorithm  for  determining,  162 
of  an  element  in  Z£,  69 
Otway-Rees  protocol,  504,  536 
Output  feedback  mode  (OFB),  232-233 
as  a stream  cipher,  233 
changing  IV  in,  232 
counter  mode,  233 
feedback  size,  233 
Outsider,  496 

OWHF,  see  One-way  hash  function 
Ownership,  3 

P 

P,  60 

Palindromic  keys  of  DES,  257 
Party,  13 

Passcode  generator,  402 
Passive  adversary,  15 
Passive  attack,  41,  495 
Passkey,  395 
Passphrase,  390 

Passwords  (weak  authentication),  388-397,  420 
aging,  390 
attacks  on,  391-393 
dictionary,  392 
exhaustive  search,  391 
password-guessing,  392 
pre-play,  397 
replay,  391 

encrypted  password  file,  389 
entropy,  392 
generator,  387 
one-time,  395-397 

Lamport’s  scheme,  396 
passkey,  395 
passphrase,  390 

personal  identification  number  (PIN),  394 
rules,  389 
salting,  390 

stored  password  file,  389 
UNIX,  393-394 
Patents,  635-645,  657-659 
ordering  and  acquiring,  645 
priority  date,  636 
validity  period,  636 

PEM,  see  Privacy  Enhanced  Mail  (PEM) 
Pepin’s  primality  test,  166 
Perceptrons  problem,  423 
Perfect  forward  secrecy,  496,  534 
Perfect  power 
testing  for,  89 


Perfect  secrecy,  42,  227,  307 
Perfect  secret  sharing  scheme,  526,  527 
Perfect  zero-knowledge  protocol,  407 
Period  of  a periodic  sequence,  180 
Periodic  sequence,  180 

autocorrelation  function  of,  180 
cycle  of,  180 
period  of,  180 
Permanent  insider,  496 
Permutation,  10,  50 
Permutation  polynomial,  314 
Permuted  kernel  problem,  423 
Personal  Identification  Number  (PIN) 

ANSI  X9.8  standard,  649 
ISO  9564  standard,  652 
PGP,  see  Pretty  Good  Privacy  (PGP) 

Phi  function  (</>),  65 
Photuris,  661 

Physically  secure  channel,  13 
PIKE  stream  cipher,  222 

PIN,  see  Passwords  (weak  authentication),  see  Per- 
sonal Identification  Number  (PIN) 
PKCS  standards,  656,  661 

ordering  and  acquiring,  657 
PKCS  #1,445-447,  483 
Plaintext,  11 

Plaintext-aware  encryption  scheme,  311-312 
Playfair  cipher,  239,  274 
Pless  generator,  218 
PN-sequence,  181 
Pocklington's  theorem,  144 
Pohlig-Hellman  algorithm,  107-109,  128 
Pohlig-Hellman  cipher,  27 1 
patent,  642,  659 
Poker  test,  182,  188 

Policy  Certification  Authority  (PCA),  589 
Pollard’s  p — 1 algorithm,  92-93,  125 
Pollard’s  rho  algorithm 

for  discrete  logarithms,  106-107,  128 
for  factoring,  91-92,  125 
Polyalphabetic  substitution  cipher,  18,  241-242, 
273-274 

auto-key  cipher,  242 
Beaufort  cipher,  241 
cipher  machine,  see  Cipher  machine 
PURPLE  cipher,  276 
Vigenere  cipher 
auto-key,  242 
compound,  241 
full,  242 

running-key,  242 
simple,  18,  241 
single  mixed  alphabet,  242 
Polygram  substitution  cipher,  239 
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Polynomial,  78 
irreducible,  78 
leading  coefficient  of,  78 
Polynomial  basis,  83 
Polynomial  factorization,  122-124,  132 
Berlekamp’s  Q-matrix  algorithm,  124 
square-free  factorization,  123 
Polynomial-time  algorithm,  59 
Polynomial-time  indistinguishability,  318 
Polynomial-time  statistical  test,  171 
Polynomially  security  public-key  encryption,  306 
Polytime  reduction,  61,  88 
Practical  security,  43 
Pre-play  attack,  397,  398 
Pre-positioned  secret  sharing  scheme,  527 
Precision,  593 
Preimage,  6,  50 
Preimage  resistance,  323 
Pretty  Good  Privacy  (PGP),  661 
Primality  proving  algorithm,  see  Primality  test,  true 
primality  test 
Primality  test 

probabilistic  primality  test,  135-142 
comparison,  140-142 
Fermat’s  test,  136 
Miller-Rabin  test,  139 
Solovay-Strassen  test,  138 
true  primality  test,  142-145 
Atkin’s  test,  145 
Goldwasser-Kilian  test,  166 
Jacobi  sum  test,  144 
Lucas-Lehmer  test,  142 
Pepin’s  test,  166 
Prime  number,  9,  64 
Prime  number  generation,  145-154 
algorithms 

Gordon's  algorithm,  150 
Maurer’s  algorithm,  153 
NIST  method,  151 
random  search,  146 
DSA  primes,  150-152 
incremental  search,  148 
provable  primes,  152-154 
random  search.  145-149 
strong  primes,  149-150 
Prime  number  theorem,  64 
Primitive  element,  see  Generator 
Primitive  normal  polynomial,  168 
Primitive  polynomial,  157-160 
algorithm  for  generating,  160 
algorithm  for  testing,  157 
definition  of,  84 
Primitives,  4 
Principal,  495 


Principal  square  root,  74 
Privacy,  see  Confidentiality 
Privacy  Enhanced  Mail  (PEM),  588,  655 
RFCs  1421-1424,  655 
Private  key,  26,  27,  544 

Private-key  certificate,  see  Symmetric-key  certifi- 
cate 

Private-key  encryption,  15 
Probabilistic  public-key  encryption,  306-312, 
318-319 

Blum-Goldwasser,  308-311 
Goldwasser-Micali,  307-308 
security  level 

polynomially  secure,  306 
semantically  secure,  306 
Probability,  50 

Probability  density  function,  176 

Probability  distribution,  50 

Probability  theory,  50-55 

Probable  prime,  136 

Product  cipher,  20,  25 1 

Proof  of  knowledge,  406,  421,  422 

Proposed  Encryption  Standard  (PES),  279 

Protection  lifetime,  553,  578 

Protocol 

authentication,  493 
cut-and-choose,  410,  421 
definition  of,  33,  490 
failure  of,  34 
hybrid,  512 

identification,  see  Identification 
key  establishment,  see  Key  establishment 
message-independent,  493 
non-interactive,  493 
witness  hiding,  423 
zero-knowledge,  405-417 
Provable  prime,  134,  142 
Provable  security,  43,  533 
Prover,  386 
Pseudo-collision,  37 1 
Pseudo-Hadamard  transform,  266 
Pseudo-noise  sequence,  181 
Pseudoprime,  136 
Euler,  138 
strong,  139 

Pseudorandom  bit  generator  (PRBG),  173-175 
ANSI  X9.17,  173 
definition  of.  170 
FIPS  186,  174-175 

linear  congruential  generator,  170,  187 
Pseudorandom  bit  sequence,  170 
Pseudorandom  function,  331 
Pseudorandom  sequences,  39-41 
Pseudosquares  modulo  n,  74,  99,  308 
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Public  key,  26,  27,  544 

compared  vs.  symmetric -key,  31-32,  551 
implicitly-certified,  520-522 
Public-key  certificate,  39,  559-561,  587 
data  part,  559 
distinguished  name,  559 
signature  part,  559 

Public-key  encryption,  25-27,  283-319 
advantages  of,  3 1 
disadvantages  of,  32 
ElGamal,  294-298 
knapsack,  300-306 

Chor-Rivest,  302-306 
Merkle-Hellman,  300-302 
LUC,  see  LUC  cryptosystem 
McEliece,  298-299 
non-malleable,  311 
plaintext-aware,  311-312 
probabilistic,  306-312 

Blum-Goldwasser,  308-311 
Goldwasser-Micali,  307-308 
Rabin,  292-294 
reversible,  28 
RSA,  285-291 
types  of  attacks,  285 
Williams,  315 
PURPLE  cipher,  276 
Puzzle  system,  376,  537 

Q 

Quadratic  congruential  generator,  187 
Quadratic  non-residues,  70 
Quadratic  residues,  70 
Quadratic  residuosity  problem,  99,  127,  307 
Quadratic  sieve  factoring  algorithm,  95-97,  126 
implementation  reports,  126 
Quantum  computer,  130 
Quantum  cryptography,  48,  535 
Quotient,  64,  78 

R 

Rabin  one-time  signature  scheme,  462-464 
key  generation,  463 
resolution  of  disputes,  463 
signature  generation,  463 
signature  verification,  463 
Rabin  public-key  encryption,  292-294,  315 
decryption  algorithm,  292 
encryption  algorithm,  292 
key  generation,  292 
security  of,  293 
use  of  redundancy,  293 
Rabin  signature  scheme,  438-442,  482 
ISO/IEC  9796.  442^144 
key  generation,  438 


signature  generation,  438 
signature  verification,  439 
use  of  redundancy,  439 

Rabin’s  information  dispersal  algorithm  (IDA), 
539 

RACE/RIPE  project,  421,  536 
Radix  representation,  592-593 
base  6,  592 
binary,  592 
high-order  digit,  593 
least  significant  digit,  593 
low-order  digit,  593 
mixed,  611,  630 
most  significant  digit,  593 
precision,  593 
radix  6,  592 

Ramp  schemes,  see  Secret  sharing 
Random  bit  generator,  39^-1,  171-173 

cryptographically  secure  pseudorandom  bit 

generator,  see  Cryptographically  sec- 
ure pseudorandom  bit  generator 
(CSPRBG) 
definition  of.  170 
hardware  techniques,  172 
pseudorandom  bit  generator,  see  Pseudorand- 
om bit  generator  (PRBG) 
software  techniques,  172 
Random  cipher,  225 
Random  cipher  model,  246 
Random  function,  190 
poly-random,  190 
Random  mappings  model,  54 
Random  oracle  model,  316 
Random  square  methods,  94—98 
Random  variable,  51 
continuous,  176 
entropy  of,  56 
expected  value  of,  5 1 
mean  of,  5 1 

standard  deviation  of,  5 1 
variance  of,  5 1 

Randomized  algorithm,  62-63 
Randomized  DES  (RDES)  block  cipher,  278 
Randomized  encryption,  225,  296,  306 
Randomized  stream  cipher,  216 
Range  of  a function,  46 
Rate  of  an  iterated  hash  function,  340 
Rational  numbers,  49 
RC2  block  cipher,  282 
RC4  stream  cipher,  222,  282 
RC5  block  cipher,  269-270,  280-281 
attacks  on,  280-281 
decryption  algorithm,  270 
encryption  algorithm,  270 
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key  schedule,  270 
patent,  659 
test  vectors,  270 
weak  keys,  281 
Real  number,  49 
Real-time,  385 

Reblocking  problem  in  RSA,  435-436,  482 
Receipt,  3 
Receiver,  13 
Reduced  basis,  118 
Redundancy,  29,  431 
of  English,  245 

Reflection  attack,  417,  530,  540 

Registration  authority,  549 

Related-key  attack  on  block  ciphers,  281 

Relatively  prime,  64 

Remainder,  64,  78 

Replay  attack,  42,  417 

Requests  for  Comments,  see  RFCs 

Residue  list  sieve,  128 

Resilient  key  establishment  protocol,  532 

Response,  409 

Retail  banking,  648 

Retail  MAC,  650 

Reverse  certificate,  575 

Reversible  public-key  encryption  scheme,  28 

Revocation,  3 

RFCs,  655-656 

ordering  and  acquiring,  657 
Ring,  76-77 

commutative,  77 
definition  of,  76 
group  of  units,  77 
polynomial,  78-79 
Rip  van  Winkle  cipher,  216 
RIPE-MAC,  354,  381 
RIPEMD  hash  function,  380 
RIPEMD-128  hash  function,  339,  380 
RIPEMD- 160  hash  function,  339,  350 
ISO/IEC  10118-3  standard,  647 
Root  vertex,  557 

Rotor-based  machine,  see  Cipher  machine 
Round  function,  25 1 
Round  of  a product  cipher,  20 
RP,  63 

RSA- 129  number,  126,  130 
RSA  problem,  98-99,  127,  287 
security  of  individual  bits,  116 
RSA  pseudorandom  bit  generator,  185-186 
RSA  public-key  encryption,  285-291,  312-315 
decryption  algorithm,  286,  611,  613 
decryption  exponent,  286 
elliptic  curve  analogue,  315 
encryption  algorithm,  286 


encryption  exponent,  286 

key  generation,  286 

modulus,  286 

patent,  638 

prime  selection,  290 

recommended  modulus  size,  290 

security  of,  287-290 

adaptive  chosen-ciphertext  attack,  289, 
313 

common  modulus  attack,  289 
cycling  attacks,  289,  313 
forward  search  attack,  288 
message  concealing,  290,  313 
multiplicative  properties,  288 
polynomially  related  plaintext,  313 
relation  to  factoring,  287 
small  decryption  exponent,  288 
small  encryption  exponent,  288,  291,  313 
unbalanced,  314 

RSA  signature  scheme,  433-438,  482 
ANSI  X9.31-1  standard,  651 
bandwidth  efficiency,  437 
ISO/IEC  9796,  442^144 
key  generation,  434 
patent,  638 
PKCS  #1,  445^147 
reblocking  problem,  435-436,  482 
redundancy  function,  437 
security  of,  434-435 
signature  generation,  434,  613 
signature  verification,  434 

Run  of  a sequence,  180 

Running  key  generator,  194 

Runs  test,  182,  188 

s 

S/MIME,  661 

Safe  prime,  537 

algorithm  for  generating,  164 
definition  of,  164 

SAFER  block  cipher,  266-269,  280 
attacks  on,  280 

SAFER  K-64  decryption  algorithm,  269 

SAFER  K-64  encryption  algorithm,  268 

SAFER  K-64  key  schedule,  268 

SAFER  K- 128,  280 

SAFER  SK-64  key  schedule,  268 

SK-128,  280 

test  vectors,  269 

Salt,  288,  390 

Schnorr  identification  protocol,  414—416,  422 
patent,  639 

Schnorr  signature  scheme,  459-460,  484 
Brickell-McCurley  variant,  484 
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Okamoto  variant,  484 
patent,  639 

signature  generation,  459 
signature  verification,  460 
SEAL  stream  cipher,  213-216 
implementation  report,  222 
patent,  222 
test  vectors,  215 
Sealed  authenticator,  361 
Sealed  key,  568 

2nd-preimage  resistance,  323,  325 
Secrecy,  see  Confidentiality 
Secret  broadcasting  scheme,  540 
Secret  key,  544 
Secret-key  certificate,  588 
Secret  sharing,  524-528,  538-540 
access  structure,  526 
authorized  subset,  527 
dynamic,  527 
extendable,  526 
generalized,  526-528 
ideal,  527 

information  rate,  527 
multi-secret  threshold,  527 
perfect,  526,  527 
pre-positioned,  527 
ramp  schemes,  539 
shared  control  schemes,  524-525 
threshold  scheme,  525-526 
verifiable,  527 
visual  cryptography,  539 
with  disenrollment,  528 
Secure  channel,  13 

Secure  Hash  Algorithm  (SHA-1),  348 
ANSI  X9.30-2  standard,  651 
FIPS  180-1  standard,  654 
ISO/IEC  10118-3  standard,  647 
Secured  channel,  13 
Security  domain,  570 
Security  policy,  545 
Seed,  21,  170 
Selective  forgery,  326,  432 
Self-shrinking  generator,  221 
Self-synchronizing  stream  cipher,  194-195 
Semantically  secure  public-key  encryption,  306 
Semi-weak  keys  of  DES,  257 
Sender,  13 
Sequence 

block  of,  1 80 
de  Bruijn,  203 
gap  of,  180 
m-sequence,  197 
periodic,  180 
pn-sequence,  181 


pseudo-noise,  181 
run  of,  180 

Sequence  numbers,  399 

Serial  test,  181,  188 

Session  key,  36,  494 

Session  key  establishment,  491 

SHA-1,  see  Secure  Hash  Algorithm  (SHA-1) 

Shadow,  538 

Shamir's  no-key  protocol,  500,  535 
Shamir's  threshold  scheme,  526,  539 
Shared  control  schemes,  524-525 
Shares,  524-528,  538 
SHARK  block  cipher,  281 
Shift  cipher,  239 
Short-term  key,  553 
Shrinking  generator,  211-212 
implementation  report,  221 
Sieving,  97 

Signature,  3,  22-23,  28-30,  425-488 
arbitrated,  472-473 
blind,  see  Blind  signature  scheme 
designated  confirmer,  487 
deterministic,  427 
Diffie-Lamport,  485 

Digital  Signature  Algorithm  (DSA),  452-454 
ElGamal,  454^159 
ESIGN,  473-474 

fail-stop,  see  Fail-stop  signature  scheme 

Feige-Fiat-Shamir,  447-449 

framework,  426^-33 

generation  algorithm,  426 

GMR,  468^171 

GQ,  450^151 

group,  488 

handwritten,  23 

Merkle  one-time,  464-A66 

modified-Rabin,  439-442 

Nyberg-Rueppel,  460^-62 

on-line/off-line,  486 

Ong-Schnorr-Shamir  (OSS),  482,  486 

Rabin,  438-442 

Rabin  one-time,  462-464 

randomized,  427 

relation  to  identification,  388 

resolution  of  disputes,  30 

RSA,  433-438 

Schnorr,  459^-60 

strongly  equivalent,  485 

types  of  attacks,  432 

undeniable,  see  Undeniable  signature  scheme 
verification  algorithm,  426 
with  appendix,  48 1 

framework,  428^-30 
ISO/IEC  14888  standard,  648 
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PKCS  #1,  445-447 
with  message  recovery,  29 
framework,  430-432 
ISO/IEC  9796  standard,  442-444,  646, 

660 

with  redundancy,  29 
Signature  notarization,  583 
Signature  space,  427 
Signature  stripping,  510 
Signed-digit  representation,  627-628 
Signed-magnitude  representation,  593 
Signer,  23 

Significance  level,  179 
Signing  transformation,  22 

Simple  substitution  cipher,  see  Mono-alphabetic  sub- 
stitution cipher 
Simulator,  407 

Simultaneous  diophantine  approximation,  121-122 
algorithm  for,  122 
unusually  good,  121 

Simultaneous  multiple  exponentiation,  617 
Simultaneously  secure  bits,  115 
Single-key  encryption,  15 
Single-length  MDC,  339 
Single-precision  integer,  593 
Singleton  bound,  506 
SKEME,  661 

SKID2  identification  protocol,  402,  421 
SKID3  identification  protocol,  402,  421 
SKIP,  661 

SKIPJACK  block  cipher,  282,  654 
Sliding- window  exponentiation,  616 
Small  decryption  exponent  in  RSA,  288 
Small  encryption  exponent  in  RSA,  288,  291,  313 
Smart  card,  387 

ISO  10202  standard,  652 
Smooth 

integer,  92 
polynomial,  112 
Snefru  hash  function,  380 
8 x 32  S-boxes,  281 

Solovay-Strassen  primality  test,  138,  165 
Span,  80 

Sparse  linear  equations,  129 

conjugate  gradient  method,  129 
Lanczos  method,  129 
Wiedemann  algorithm,  129 
Special-purpose  factoring  algorithm,  90 
SPKM,  656,  661 
Split-knowledge  scheme,  525 
Splitting  an  integer,  89 
Spread  spectrum,  45 
Square  roots,  99-102 

composite  modulus,  101-102,  127 


prime  modulus,  100-101,  127 
SQROOT  problem,  101 
Square-free  factorization,  123 
algorithm  for,  123,  132 
Square-free  integer,  137 
Square-free  polynomial,  123 
Stage 

ofanFSR,  202 
of  an  LFSR,  195 
Standard  deviation,  51 
Standard  normal  distribution,  176 
Standards,  645-657,  660-661 
ANSI,  648-651 
FIPS, 654-655 
IEEE,  660 
Internet,  655-656 
ISO/IEC,  645-648,  651-653 
PKCS,  656 
RFC,  655-656 
X.509,  653 

Station-to-station  (STS)  key  agreement,  519,  538 
Statistical  test,  175-185,  188-189 
autocorrelation  test,  182 
frequency  test,  181 
hypothesis,  179 

Maurer's  universal  statistical  test,  183-185, 
189 

one-sided  test,  179 
poker  test,  182 
polynomial-time,  171 
runs  test,  182 
serial  test,  181 
significance  level,  179 
two-sided  test,  180 

Statistical  zero-knowledge  protocol,  424 
Steganography,  46 
Step-l/step-2  generator,  220 
Stirling  numbers,  53 
Stirling's  formula,  59 
Stop-and-go  generator,  220 
Stream  cipher,  20-21,  191-222 
A5,  222 
attacks  on 

correlation  attack,  206,  218 
inversion  attack,  219 
linear  consistency  attack,  219-220 
linear  cryptanalysis,  219 
linear  syndrome  attack,  218 
lock-in,  221 
cellular  automata,  222 
classification,  192-195 
clock-controlled  generator,  209-212 
alternating  step  generator,  209-211 
m-sequence  cascade,  221 
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p-cycle  cascade,  220 
self-shrinking  generator,  221 
shrinking  generator,  211-212 
step-l/step-2  generator,  220 
stop-and-go  generator,  220 
comparison  with  block  ciphers,  192 
FISH,  222 
GOAL,  219 
initial  state,  193,  194 
key  stream,  193,  194 
next-state  function,  193 
nonlinear  combination  generator,  205-208 
Geffe  generator,  206 
multiplexer  generator,  220 
multispeed  inner-product  generator,  220 
Pless  generator,  218 
summation  generator,  207 
nonlinear  filter  generator,  208-209 
knapsack  generator,  209 
one-time  pad,  192-193 
output  function,  193,  194 
PIKE,  222 

randomized  stream  cipher,  216 
RC4,  222 

Rip  van  Winkle  cipher,  216 
SEAL,  213-216 

self-synchronizing  stream  cipher,  194-195 
synchronous  stream  cipher,  193-194 
Strict  avalanche  criterion  (SAC),  277 
String-replacement  representation,  628-629 
Strong  collision  resistance,  324 
Strong  equivalent  signature  schemes,  485 
Strong  liar,  139 

Strong  one-way  hash  function,  325 
Strong  prime,  149-150 

algorithm  for  generating,  150 
definition  of,  149,  291 
Hellman-Bach  patent,  643 
usage  in  RSA,  291 
Strong  pseudoprime,  139 

Strong  pseudoprime  test,  see  Miller-Rabin  primal- 
ity  test 
Strong  witness,  139 
Subexponential-time  algorithm,  60 
Subfield,  77 
Subgroup,  76 
Subliminal  channel,  485 
broadband,  485 
narrowband,  485 

Subset  sum  problem,  61,  117-122,  190 
meet-in-the-middle  algorithm,  118 
naive  algorithm,  117 
superincreasing,  300 
using  L3  algorithm,  120 


Subspace  of  a vector  space,  80 
Substitution  cipher,  17-18,  238-241 
homophonic,  17,  240 
mono-alphabetic,  17,  239 
affine  cipher,  239 
Caesar  cipher,  239 
shift  cipher,  239 
unicity  distance  of,  247 
polyalphabetic,  18 
polygram,  239 
Hill  cipher,  240 
Playfair  cipher,  239 

Substitution-permutation  (SP)  network,  25 1 
Summation  generator,  207,  218 
Superincreasing  subset  sum  problem,  300 
algorithm  for  solving,  300 
Superuser,  389 
Surjective  function,  46,  50 
SWIFT,  586 

Symmetric  cryptographic  system,  544 
Symmetric  key,  544 

compared  vs.  public-key,  31-32,  551 
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